Peter Sunde Wants To Create Alternative To ICANN

An anonymous reader writes "According to Peter Sunde's Twitter feed, he has been suspicious of ICANN for a long time. The non-profit corporation is tasked with managing both the IPv4 and IPv6 address spaces as well as handling the management of top-level domain name space including the operation of root nameservers. Sunde has lost a domain in the past because of the way ICANN acted. It was taken without any consultation on their part, instead the organization relied on information from recording industry group IFPI to change the domain ownership. But it seems for some reason his frustration has come to a head recently, and he has put a call out for help to create a competing root server."

You can't compete with root.

[LostCluster]

The ROOT domain system is just that, it's trusted because well, if we didn't trust somebody at #1 this whole thing wouldn't work. You can't have a competing .com, .net, .org registry... sure, you could declare your own TLD and be root of that but, well, we don't trust you as much as we trust ICANN because, well, they've been root for a while now and haven't blown it that badly.

Re:You can't compete with root.

[bbtom]

If redirecting NXDOMAIN to partnered search results pages and killing a bunch of anti-spam scripts and endorsing ridiculously stupid shit like .eco, .xxx, .jobs and .tel happen wasn't enough for ICANN to have "blown it", complying with a Department of Homeland Security request to remove a bunch of domains that contained material that infringes copyright should be the nail in the coffin for the useless stuffed shirts at ICANN.

ICANN is really a perfect example of where a bunch of wise-beard Unix hacker types could do a better job than the corporate whores currently doing it could. Or better yet, a proper distributed alternative to DNS.

Re:You can't compete with root.

[Glendale2x]

If redirecting NXDOMAIN to partnered search results pages

VeriSign != ICANN

Re:You can't compete with root.

If redirecting NXDOMAIN to partnered search results pages

VeriSign != ICANN

And why didn't ICANN start the process of "firing" VeriSign immediately after the incident?

IETF, IANA, the RIRs, etc. all seem to work well without to have some legal entity with a bunch of corporate bullshit. The suits have managed to royally fuck things up at ICANN.

I agree with the GP: money has generally corrupted the process which should be a simply technical matter of updating a simple list of TLDs as countries have come and gone according to ISO 3166-1 alpha-2. The bureaucracy has started to serve itself.

Re:You can't compete with root.

Verisign should have lost their root server assignment 10 years ago. Between their wildcard allocation for *.com a few years back, their pitiful handling of IPv6, their pretense at innocence when they assign domain authorities to spam hosting domains, their support of "reserving" domains by abusive registrars who blackmail people who search domains to see if they're available, and their refusal too cooperate with domain owners who want to reliable provide reverse DNS, they're not competent and their effective monopoly should be transferred.

Re:You can't compete with root.

[mysidia]

If redirecting NXDOMAIN to partnered search results pages and killing a bunch of anti-spam scripts

You mean an anti-spam technique (of fairly limited effectiveness) of reverse path validation, through making extra domain lookups for the forward DNS hostname of the Return Envelope, not called for by the SMTP RFCs, which also place extra (unwanted) load on DNS servers?

Please don't confuse ICANN with Network Solutions / Verisign (Sitefinder). By the way, the SiteFinder Fiasco you refer to ended when ICANN was going to file a lawsuit Network Solutions over "sitefinder" and reached a settlement. Settlement: ICANN agreed to discontinue the sitefinder service / stop wildcard resolving immediately, and will seek permission under ICANN rules before introducing any new service such as that.
But, in Exchange, as part of this settlement, NSol's contract to be operator for the .COM / .NET TLDs was changed so ICANN guarantees to renew the contract perpetually at the end of every contract term (Unless there is a proven breach), AND, also, the settlement gave Network Solutions a right to increase prices 7% every 4 out of the 6 years of every contract term after 2007, with no justification.

NSol can increase prices in 6 out of 6 years, if a cost justification is given in 2 of those years.

Note that back in 2007, .NET and .COM prices were capped by the registry at $6. Today they are approximately $8. Domain prices per-domain are getting more expensive, and the stated justification is "higher volume of DNS queries", what do you think about that?

So the whole 'sitefinder thing' was a win win win for Network solutions, because ICANN essentially got themselves a free perpetual contract, which ICANN justifies on the basis of "A perpetual contract provides greater stability for the Internet"; neverminding the fact the contract becomes less favorable for the community every year NSol chooses to raise prices.

Still... things are "stable", and doesn't matter that much that NSol got rewarded for their attempted sitefinder moneygrab does it?

endorsing ridiculously stupid shit like .eco, .xxx, .jobs and .tel happen

Apparently it wasn't that 'stupid'... I mean, someone had to pay $50,000 just to apply, and put significant capital down to have a registry that would meet ICANN's minimal technical standards for a stable registry. The letters in the TLD are just one factor; the decision to 'add a TLD' or not are almost all about the technical aspects of a proposed TLD and how many sites and domain registrars are interested in the TLD.

complying with a Department of Homeland Security request to remove a bunch of domains that contained material that infringes copyright should be the nail in the coffin for the useless stuffed shirts at ICANN.

ICANN just defines the rules and contracts the registry services, I believe you are again blaming ICANN for an individual registrar and US government thing

ICANN is really a perfect example of where a bunch of wise-beard Unix hacker types could do a better job than the corporate whores currently doing it could. Or better yet, a proper distributed alternative to DNS.

Now there's something we can agree on. Unix hacker types could do better, if only they could get the financing, and backing from the corporate types.

It would probably be good enough though to have an association serving a different group of corporate whores.... for example, ISPs instead of the WIPO, RIAA, registrar, pro-squatter , and pro-advertising/pro-marketing folks.

Re:You can't compete with root.

[Daniel+Dvorkin]

ICANN is really a perfect example of where a bunch of wise-beard Unix hacker types could do a better job than the corporate whores currently doing it could.

Almost everything in the world currently being done by corporate whores could better be done by wise-beard Unix hacker types; the tiny number of things that couldn't, aren't worth being done at all.

Re:You can't compete with root.

[mysidia]

And why didn't ICANN start the process of "firing" VeriSign immediately after the incident?

That was what was going to happen. Instead, something very strange happened. The final outcome was that ICANN SETTLED with VeriSign. But this was kind of like the Google books settlement, in that the settlement was EXTREMELY FAVORABLE to VeriSign.

Prior to this settlement, the .COM / .NET registry was a FOR BID contract that would come up for bidding and renewal every 6 years. The registry price was capped at $6 per domain per year under the contract at the time.

In the settlement ICANN agreed to guarantee to renew their contract at the end of the term, unless it is proven that VeriSign substantially breaches the new contract, they have the contract perpetually. [paraphrasing], "For the sake of Internet stability" (as ICANN people put it)

The settlement from the SECSAC process also Gave NSOL the right to raise prices. The settlement gave them the right to raise prices 7% 4 out of 6 years of every contract term after 2007, with no cost justification needed.

The VeriSign/Network Solutions Internic can raise prices all 6 years of the contract term, if they provide a cost justification for 2 of those years. In 2010 they raised prices for .COM and .NET domains, and publicly someone indicated a cost justification of "Increased number of DNS lookups being performed" (against .COM and .NET registry servers)

I think 5 years from now, .COM and .NET TLDs will be prices by the registry at approximately $12 instead of approximately $8. We can look forward to paying $100 per year to the cheapest registries to renew .COMs, within this decade or the next, just like it used to be before competitive registrars.

Oh right... "competitive registrars" doesn't matter much, when there is a for-profit global registry everyone has to pay who has a guaranteed right to raise prices, and a guaranteed right to not get fired, because a legal settlement means ICANN legally cannot bring the contract up for bid, unless NSol screws up.

Re:You can't compete with root.

[Glendale2x]

If redirecting NXDOMAIN to partnered search results pages

VeriSign != ICANN

And why didn't ICANN start the process of "firing" VeriSign immediately after the incident?

IETF, IANA, the RIRs, etc. all seem to work well without to have some legal entity with a bunch of corporate bullshit. The suits have managed to royally fuck things up at ICANN.

I agree with the GP: money has generally corrupted the process which should be a simply technical matter of updating a simple list of TLDs as countries have come and gone according to ISO 3166-1 alpha-2. The bureaucracy has started to serve itself.

ICANN did assert that they overstepped their authority, and VeriSigned later sued ICANN.

Re:You can't compete with root.

[Nursie]

"You can't have a competing .com, .net, .org registry"

Sure you can. Did you young folks never hear of AlterNIC ?

(OK, you young folks might be an exaggeration, you have a slightly lower UID and I'm only 32, but still)

All you have to do is persuade people to use your name servers instead of the normal ones. There's an infrastructure cost associated with that of course, but there it is. ICANN might kick and scream and maybe even sue, but there's nothing to stop the net being usurped by an enterprising newcomer. It would lead to namespace fragmentation and all sorts of interesting user effects, but it's a possibility.

I quite like the idea of us geeks using one lot and the general public using another. They can have their own internet with the facebooks and packet shaping and the september that never ends. And we'll have ours and reset it to 1995 style...

Re:You can't compete with root.

[mysidia]

their refusal too cooperate with domain owners who want to reliable provide reverse DNS

What the heck are you talking about? What is your beef with their reverse DNS handling?

This is a IANA / RIR function, and I have never seen any issues or mishandling of RDNS by the registry.

Re:You can't compete with root.

[GNUALMAFUERTE]

Absolutely. What needs to be done, and this will only be accomplished with enough international pressure, is to take control away from the US government. ICANN or no ICANN, the one in control is the US government.

Don't come with the "DARPA in the 60's" argument. It's not about what the net was 20 years ago, or 10 years ago, it's about what it's now: A worldwide network. That means it shouldn't be governed by a single country. We need to create a new council that will manage the internet:

It'll be an international council, with the following governing body:

- An official representative from each member country.
- A representative from each software/hardware development that plays a major role in the net. For example, the ISC (BIND, DHCPD), The Mozilla Fundation (Firefox), CISCO, etc. would get representatives.
- Other organizations and major players that are active participants of this thing we call the internet. For example, the IEEE, The Free Software Fundation, the EFF, Intel, Apple, Microsoft, etc. would get representatives.

None of this entities would get more than one representative even if they qualified on more than one category, and each representative gets one vote, and all votes count equally. We should also try to keep the amount of member from each category sort of equal, so, considering ~190 countries, we should get 190 from the other two categories, for a grand total of ~600 members.

This entity would operate under its own constitution, and act as a democracy. The technical infrastructure would be absolutely distributed around the world, with enough redundancy and no central authority.

That is the only way that we can get a truly free internet.

Re:You can't compete with root.

[rtb61]

An open root domain system where each country produces it's own root domain and via treaty mirrors addresses. Each ISP defaults to the local national root domain. Could create some interesting problems with circular updates but those could be resolved by establish a priority on mirroring and monitoring changes.

The handy thing is that .gov and .mil could be immediately localised to each nation.

The treaties aren't even required to start the process off, countries just need to launch their own root servers and legislate the use of those servers as default.

Re:You can't compete with root.

[GNUALMAFUERTE]

No, that would give each individual government more control over its citizens. Giving them that power would quickly turn the internet everywhere into what it is right now in China.

Governments can't be individually trusted, and localized versions of the internet are a bad idea, against the very definition of the internet.

That's why in the scheme I propose, all countries together are only 30% of the votes. I am a wise-bearded Unix geek, and I still don't agree with turning control over to wise-bearded Unix geeks. We can be real assholes too :). No group of people can be fully trusted to make choices for all of us, that's why we need different groups with different interests to keep each other in line.

The chances that several governments, or several companies, or several software developers cooperate with each other to do something evil are very high. That's why we see things like the ACTA being passed by politicians from different countries, while 90% of the public disagrees.

Now, the chances of seeing the Free Software Fundation, CISCO, the US, Switzerland, Venezuela and the ISC cooperating to pass some terrible legislation is virtually nonexistent.

Re:You can't compete with root.

[evanism]

I have seen this as absolutely inevitable for about 10 years now.

Admittedly, I am an old warhorse and remember registering domains for free with a guy who kept the whole root under his desk at Uni (Robert Ells, Uni Melbourne, Aust). Then the evil MelbourneIT took it over, screwed everyone and commercialised a public resource.

I used to, in 1996, use AltDNS which is sort of what is proposed now. It failed, but the actions of government have shown we need a better DNS that is not subject to the actions of a single government. (e.g. dot com is a very bad idea!... why isnt each countries own root dotcom dependant on geo!

An alternative DNS is definitely on the cards.

Re:You can't compete with root.

[xnpu]

Nothing stop you from dividing the root. .COM can be with ICANN, .SOMETHINGELSE can be with SUNDE. As long as name servers are aware of both root systems, there's no problem.

Re:You can't compete with root.

[dnsdude]

Touche. Like this hasn't been tried before. Ooh, but wait, it's Peter Sunde!! He'll change the whole DNS! Yeah, he's so the man! All the ISPs in the world will do whatever he says! Go, Peter!

Re:You can't compete with root.

[H3xx]

ICANN is really a perfect example of where a bunch of wise-beard Unix hacker types could do a better job than the corporate whores currently doing it could. Or better yet, a proper distributed alternative to DNS.

We can and are.

With enough Linux geeks, anything is possible.

Re:You can't compete with root.

[rtb61]

Not really as you are only configuring the national root as default, you are not making it compulsory and it is easy to point your browser elsewhere.

Re:You can't compete with root.

[Marillion]

You mean it's not already happening?
ISPs send DNS server addresses with DHCP. It's trivial for countries to override root DNS.

Re:You can't compete with root.

[cheekyjohnson]

it's trusted because well

I'm pretty sure it's not trusted at this point in time. At least, more people are getting increasingly angry.

Re:You can't compete with root.

[lordmetroid]

If an internet controlled by one government wasn't bad enough, you want several governments to be able to have a simple access to the censorship button. I will root for Peter Sunde's effort and make an internet controlled by its users.

Re:You can't compete with root.

NXDOMAIN: wasn't ICANN
Domain seizes: wasn't ICANN

If you don't like the current DNS, go ahead. But please don't blame organizations for things other organizations did.

Re:You can't compete with root.

Where do I signup?

Peter Sunde isn't the only one that is getting fed up with the things being done to the intertubes. Distributed DNS on a darknet please...

Re:You can't compete with root.

Give it up. The argument regards stupid top level domains was lost as soon as people started using .co as an alternative for .com. All TLDs are now completely arbitrary.

Re:You can't compete with root.

[rs79]

All he needs to do is have one TLD not controlled by ICANN (like the rest of them are) and have a network of root servers that have all the legacy tlds plus this one extra one. This isn't new, (see .tor) in fact there have been alternative root networks for 15 years.

Those that need to use them know how. And they work and have ever since 96 or so.

Wikileaks is probably gonna need the same thing. I can't see the US government letting them continue to use their DNS.

This has nothing to do with "a competing .com registry".

Re:You can't compete with root.

[rs79]

Wildcarding DNS and redirecting "no such domain" (NXDOMAIN) queries has an interesting history.

First .ws did it. ICANN did nothing.
Then NSI/Verisign did it. People complained. They made them stop doing it.
Then more cctlds did it.
Then ISP's did it.

At this point, everyone does it, except Verisign. Which is really weird casue there's a clause in the NSI/ICANN agreement that says ICANN can't treat NSI/Verisign any differently from any other TLD and they apparntly are in this case.

Re:You can't compete with root.

[rs79]

"I used to, in 1996, use AltDNS which is sort of what is proposed now. It failed, but the actions of government have shown we need a better DNS that is not subject to the actions of a single government. (e.g. dot com is a very bad idea!... why isnt each countries own root dotcom dependant on geo!"

The alt.dns you used to use still lives. It's just hiding on Tatooine. And has a sister.

When the USG pulls Wikileaks plug it might be time to break out the light sabres.

Re:You can't compete with root.

[kiddygrinder]

probably agree with you, but suggesting that the beardy weirdys wouldn't get rid of the "stupid shit" like .eco and .xxx, they'd probably make it open slather on tlds. at least if they didn't suck they would :)

Re:You can't compete with root.

God you are thick if you believe that.

So it wasnt bill gates that put a computer on every desktop but a useless, pathetic little hippie like linus?
HAHAHAHAHAHA

Plus, peter sunde is going to prison, hes going to run the root server from his cell?
Fucking ignorant cunt,

Re:You can't compete with root.

[Lumpy]

Several have Existed for a long time now.

http://en.wikipedia.org/wiki/Alternative_DNS_root

I haven't used standard DNS servers for almost a decade.

Peter Sunde is simply making noise to attract attention. He will not get any farther than the lesser Alternate DNS server group out there that have existed far, far, longer than his idea has existed.

Re:You can't compete with root.

[Lumpy]

Yup.

you are a internet N00b if you don't know about AlterNIC.

and no you don't have to convince people to use Yours instead of theirs. Just ask them to put yours in their DNS list at the top.

AlterNIC does not sell domains like Coke.com and Pepsi.com. They play nice and have their own root names. you can run all 4 Alternative DNS server systems in your computer at the same time without problems. I have it set that way in our DNS server, It checks against ALL DNS systems.

Re:You can't compete with root.

The ROOT domain system is just that, it's trusted because well, if we didn't trust somebody at #1 this whole thing wouldn't work. You can't have a competing .com, .net, .org registry...

You are confusing the root network with TLDs, it seems. Why should a single organization be in charge of publishing the TLD assignments? And even worse, why is that organization, that publishes and manages TLDs for the entire world, be subject to the local laws of one single national government?

sure, you could declare your own TLD and be root of that

Can you now? Can you still do that if the US political wheel decides that you operating that TLD does not match their agenda?

but, well, we don't trust you as much as we trust ICANN because, well, they've been root for a while now and haven't blown it that badly.

Sure. I'd posit that 90% of the american citizens would say their government hasn't blown it that badly either. That does not mean that they're right. Also, you're presenting a false dichotomy when you say that our only option is to divert trust to another single organization. Monkeysphere is one of the examples of distributed name resolution, Tor is another one. I'm sure other /. readers can give you more examples.

Re:You can't compete with root.

[AmiMoJo]

Problem is that the only way to be independent and uncensored is to not depend on anyone else for funding. Unless you only accept anonymous donations I don't see how you could have any income to pay for the whole operation. Would anon donations be enough?

Re:You can't compete with root.

[evanism]

what really interests me is this... the DNS that I remember of "old" WAS free, and it worked with a bunch of very simple rules. It was when commercial interests came into it (i.e pay to register) did all this shenanigans begin.

I'm not that old (40) to remember what systems were in place, using honour and integrity, that made it work. Sometimes this whole internet thing is getting me down.

Too many conflicts of interest. Seems the lawyers and MBAs are the ones making the money, not the creators. Shame.

Re:You can't compete with root.

[ElusiveJoe]

They can have their own internet with the facebooks and packet shaping and the september that never ends. And we'll have ours and reset it to 1995 style...

No need to go that far. You just need a new domain - .lawn

Re:You can't compete with root.

[Muros]

Almost everything in the world currently being done by corporate whores could better be done by wise-beard Unix hacker types; the tiny number of things that couldn't, aren't worth being done at all.

I can think of a few things I'd like corporate whores to do that I most certainly would not ask anyone bearded, Unix hacker or not, to do. And I feel they would be worth getting done.

Re:You can't compete with root.

LOL
'wise-beard hacker tuypes' cant even find the soap, let alone run anything that people depend on.

I'll take the corporate guys over a bunch of lentil chomping geeks any day thanks.

Re:You can't compete with root.

[GNUALMAFUERTE]

Guys, can you fucking read?

I said that countries should only have 1/3 of the votes, and that nothing could be passed (like in any democratic legislative organism) without at least 3/4 of the votes. Damn, read.

Re:You can't compete with root.

[TheRaven64]

Linux geeks? From the page you link to:

The name BIND stands for "Berkeley Internet Name Daemon", because the software originated in the early 1980s at the University of California at Berkeley

BIND predates Linux by a decade. UNIX geeks or BSD geeks, not Linux geeks.

Re:You can't compete with root.

[BitZtream]

Bullshit.

In order for that to work you either have to have everyone switch to your registries ... or ... you still depend on ICANNs existing registries to serve names you don't serve yourself because no one is going to care enough about your whining over ICANN to join you rather than have access to the Internet as they know it now.

So sure, you can start your own service and get people using it ... but they are still using the existing registries as well so you have accomplished nothing really.

Re:You can't compete with root.

[Nursie]

"In order for that to work you either have to have everyone switch to your registries"

Which, IIRC, is what I said in my original post. You have to get people to switch DNS servers to yours, but it's perfectly (technically) possible to do so and to compete with ICANN.

Re:You can't compete with root.

[KingMotley]

Feel free to make your own network at any time.

Re:You can't compete with root.

[JAlexoi]

You do know that you can point to another DNS server, don't you? Unless a smart ISP that will just block all DNS queries using deep packet inspection.

Re:You can't compete with root.

[AmiMoJo]

Registration fees are not really the issue, it is the cost of maintaining the servers.

Re:You can't compete with root.

[Marillion]

Oh sure, I can point to another DNS server. 99.9% of the population can't.

Re:You can't compete with root.

[Linuxmagic]

The 'trusted' part is probably the root (excuse the pun) of the idea in the first place. Just because it is non-profit, doesn't mean it is immune from outside forces, sometimes political, in all senses of the word. There are many that question some of the decisions that are made, for all kinds of reasons, and the questions become doubt, which breed mistrust.. and so on. Even it's handling on who gets the ever shrinking IPv4 space is highly controversial.

Re:You can't compete with root.

[DedTV]

Wise-beard Unix hacker types make something, people start saying "Wow! These wise-beard Unix hacker types made something awesome!", the wise-beard Unix hacker types say to themselves "Hey! We can get rich off this and get supermodels for wives!" and BOOM! they're suddenly corporate whores.

Anything that can't potentially make you a corporate whore, or at least get you laid, isn't worth doing.

Sour grapes?

[Meshach]

Sounds like Peter Sunde is bitter at his lost domain. If it ain't broke don't fix it.

Re:Sour grapes?

[LostCluster]

ICANN declares man loser, loser vows to replace ICANN. Details at 11, or at 10 on that UHF station we co-own.

Re:Sour grapes?

[Gonoff]

If it ain't broke don't fix it.

I think he feels that it is broke.
I think a big problem is that ICANN gives too many questionable organisations too much say into what happens. I include in that list, MPAA RIAA and their alternatives in the remaining 96% of the planet, various spooks and one particular national government.
I suspect people here can think of many more names...

Re:Sour grapes?

It took me a while to figure out that this is the same Peter Sunde behind The Pirate Bay. The same one who has been sentenced to jail time in Sweden for it.

So he's crying about the IFPI seizing his file sharing domain... cry me a river.

Re:Sour grapes?

[Rijnzael]

He's "crying" about them stealing a domain he legally paid for.

Re:Sour grapes?

[LordLimecat]

Wait, so a bunch of spooks and RIAA and MPAA folks have their claws into the ICANN, and the ICANN just revoked access to "one of Sunde's domains" (mysteriously unnamed!!!), but Pirate bay remains online.

We're supposed to extrapolate from this that there is a domain of Sunde's that the MPAA / RIAA want offline MORE than pirate bay? Riiiiiiight. How about telling everyone what domain it was so we can judge for ourselves whether or not ICANN is acting in bad faith; I may not trust the MPAA / RIAA, but Im not entirely sure I want to take the word of the guy running pirate bay, either.

Re:Sour grapes?

[MightyYar]

First, he didn't pay for it - it was given to him. But that's not really germane.

The main point is that they didn't "steal" it. He put up a BS site to try and claim the initials IFPI after the real IFPI forgot to renew. This would be like lucking into the coke.com domain and then creating an organization called Computer Organization of Knowledge and Education to provide an excuse to hold it.

In my opinion, the whole nissan.com debacle is a much more abusive situation. Nissan has been suing this poor guy for over 10 years, even though he sells computers rather than cars! He's won so far, but at considerable cost.

Re:Sour grapes?

[camperdave]

He's crying about a domain that was transferred to him by some cyber-vulture who swooped in and grabbed it after the IFPI forgot to renew it. The Pirate Bay was found to have registered the domain in bad faith (the domain cannot be used to cause confusion with the "Complainant's mark"), and it was returned to its original owner.

Sorry, but I don't see a foul here.

Re:Sour grapes?

[Skal+Tura]

How about this? The Pirate Bay is too public to pull of a stunt like this, but some less known domains (like the ones seized a few moments ago) spurr less activism against it, so they can slowly roll it in and make it a norm. (like the antiterrorism bullshit going around)

Re:Sour grapes?

[Skal+Tura]

the IFPI organization doesn't have any more right to the domain than sunde did.

Leaving it unrenewed is their friggin' problem, not anyone elses. No average joe can go bitch "that dude stole my domain!", "It says here you didn't renew it", "So what, it's mine! I forgot!", why should MAFIAA have that right?

Re:Sour grapes?

[Darinbob]

If it's broke we should fix it. But that doesn't mean letting self proclaimed pirates be in charge, much less be the root of a "trusted" chain.

Re:Sour grapes?

[jythie]

Welcome to how precedent works ^_^ look for victims no one will bother defending and the legal framework is there for when you go after the ones that have defenders.

Re:Sour grapes?

"Man" in this case would be one of the founder of the Pirate Bay, shown to take a stance against injustices and problems with the web time and time again. However he does have an agenda, but that's the beauty of having 2 competing systems, you get to choose which agenda to follow, "corporate megaworld" or "idealistic by naïve". I welcome the choice.

Re:Sour grapes?

[Kalriath]

Actually, if the new registrant did so in bad faith, average joe could indeed complain and get it returned.

Re:Sour grapes?

[wshs]

...except in domain disputes, average joe never wins.

Re:Sour grapes?

[emj]

...except in domain disputes, average joe never wins.

Sigh! You just get WIPO to tell ICANN that "According to the ifpi.com case you should give back the domain to avarage joe". How hard can it be?

Re:Sour grapes?

[emj]

Except my friends have never managed to recover domains they have lost in the same way, how are they going to get WIPO to intervene on their part?

Re:Sour grapes?

[cheekyjohnson]

If it ain't broke don't fix it.

Ah, yes. Let's apply this intelligent mentality to the real world! Computers? No, they're not broken, so let's not even bother making them better! My software? Well, it has a few bugs, but it's still usable, so why bother fixing it? It's not broke!

Re:Sour grapes?

[cheekyjohnson]

But that doesn't mean letting self proclaimed pirates be in charge

What's wrong with being a 'pirate'? I fail to see how that's relevant to this.

Re:Sour grapes?

[rs79]

It makes sense. Anybody who trusts TPB to use it for a referral link obviously trusts it enough to use DNS to get there.

The pirate party has reps in the EU parliment, who do good work on matters of international policy with issues other than IP rights. Freeing up patents on pharmecuticals so poor aids patients can afford medicine for example.

While some poeple think "pirate" means stealing other poeples stuff, some think it means resisting the corporatocracy.

The "pirates" of old may not have been what you think either and may find some reading up on this kinda interesting.

Re:Sour grapes?

[Terrasque]

Isn't it obvious? They will be too busy fighting ninjas to run such an operation. Besides, the money used on rum will be criminally high.

Re:Sour grapes?

[MightyYar]

the IFPI organization doesn't have any more right to the domain than sunde did.

If neither has any fundamental "right" to it, then why give it to Sunde? There are rules in place for just such disputes, and Sunde is not on the winning side of these rules. The rules may be flawed, but they are very much in the same vein as Trademarks.

I don't think I'd support the "finders keepers" rules that Sunde seems to prefer. That, to me, indicates that his mind never left the 6th grade schoolyard.

Re:Sour grapes?

[MightyYar]

Mr. Nissan is still winning - look at nissan.com

But it has cost him a fortune.

Re:Sour grapes?

[LordLimecat]

Then why hasnt Sunde told us what domain it was? This isnt an issue of "privacy"; hes claiming it was a clear wrong that was done, but hasnt given ANY information on what exactly occurred other than "MPAA is oppressing me, and ICANN is badguys".

Re:Sour grapes?

[BitZtream]

What's wrong with being a 'pirate'?

Seriously? Are you 3 years old and still think being a 'pirate' in any form is 'good'? We're not talking about a silly Disney movie.

Making such statements makes you look really childish and ignorant.

Re:Sour grapes?

[cheekyjohnson]

I'm sorry, but after reading your post filled with ad hominems, my question still remains unanswered. I ask again: what is wrong with being someone who infringes upon copyright and what does that have to do with the situation at hand?

Re:Sour grapes?

[tqk]

Seriously? Are you 3 years old and still think being a 'pirate' in any form is 'good'?

Seriously? I heard one just the other day: Guy buys dvd (last copy in the store). It's damaged. Futz around with return credits, when he knows it won't get him what he wants? No. DL a pirated version. He's paid for his copy. Where's the beef?

Do you really think that's immoral? It may be illegal, but that's because of your fsck'd up legal system. Here in Canada, we pay a tax on all blank media, ostensibly to cover piracy for the producers. Guess what happens in real life (ACTA, Bill C-32(?))?

Re:Sour grapes?

[JAlexoi]

Well... if you personally don't follow the tech news then it's really not his problem, is it now?

Re:Sour grapes?

[Skal+Tura]

Probably hasn't cost him a fortune, because loser pays the winner's legal fees too, if the loser happens to be the suer/accuser. At least in certain type of cases, which this looks to be like.

Re:Sour grapes?

[Skal+Tura]

Bad faith is subjective, and is only perceived as bad faith from the observer's perspective.

If i steal your wallet, you get angry for it and punch me, i could perceive you punched me in bad faith, not as response of my wrong doing.

But yeah, "bad faith" clause might win a court.

Re:Sour grapes?

[Skal+Tura]

and yet that "finder's keeper's" rules ought to be all what domains are about.

They are finite resource, if you missed your opportunity to register a domain, you cannot simply force someone to give it over. For one, that someone has very likely already added value to that domain name, or have plans on the domain for the future etc etc etc.

Re:Sour grapes?

[Skal+Tura]

and that was exactly my point, but from different perspective :)

Re:Sour grapes?

[MightyYar]

you cannot simply force someone to give it over.

Again, why not? Your particular sense of fairness? Don't you agree that is kind of arbitrary? Why not make the DNS rules mesh with old established meatspace rules?

For one, that someone has very likely already added value to that domain name

The counter-argument is that Coca-Cola has added immense value to the word "Coke" over the last 100+ years, so allowing someone to call "first" over their hard-earned trademark is not fair.

Trademark is just a form of IP, and I'm not a huge fan of IP in general - but I think that trademarks help consumers on balance.

Re:Sour grapes?

[MightyYar]

because loser pays the winner's legal fees too

Not in the US - that's a British rule. You can recover some legal fees, but it requires a counter-suit and so on. Mr. Nissan seems to indicate that he's spent almost half a million on defense, IIRC.

Do it! Do it now!

[wierd_w]

An alternative name registry service would do wonders to cripple the whole "internet censorship" bandwagon that has been going on recently. Blacklists? Rendered at the very least 2X as difficult to implement on a national scale, simply because the clients you are attempting to prevent from accessing content can reach that content by using the alternate name resolution service.

It would make measures like the Australian blacklist falderall all that much more difficult to actually pull off, and would render efforts like COICA similarly difficult.

Do it. Do it now.

Re:Do it! Do it now!

[gclef]

Messy. Question: which root do you ask for google.com? All of them? What if they reply with different addresses...which one's right? The fact that there aren't good answers to these questions is a big part of why we've tried to avoid splitting the DNS roots.

Re:Do it! Do it now!

[wierd_w]

Take the recent "seizures" of torrent sites by the US government; In order for the government to keep track of DNS entries that it has "Confiscated", it has to apply it to easily identifiable name servers. (In this case, something along the lines of "Seized.xxxx.NS") Since it would become an administrative nightmare to NOT use some form of naming convention for such "Blocked" sites, it should be fairly simple to resolve "Which" IP addresses and name servers to accept as entries/accept entries from.

If the two IPs match, Good for you.

If they dont, does one get resolved by a "blacklist placeholder" NS? If so, ignore that entry and use the redundant one.

If they dont, and neither points to a known placeholder, "ASK", allow the user to try both and then pick the appropriate one.

Re:Do it! Do it now!

[dch24]

Yeah, messy.

To identify google.com, use dnssec. To identify trusted root certs, either use the ones that come with your browser (just like SSL) or add/remove certs manually.

Ok, I can think of immediate issues with that. All I'm saying is, not that hard to solve.

So, problems with using a certificate store, like the one that comes with your browser:

• What do you do when Mozilla imports China's CNNIC root CA cert?
• What about when AT&T starts adding RST packets on the DNS service it "doesn't like"?

Re:Do it! Do it now!

[gclef]

Skip the government part (though, honestly, I see no reason why they'll operate the way you think they will)...what about businesses? For example: Apple.com. There are several companies that can claim honest ownership of the "apple" name as a business title (apple computers, apple records, etc). If each of them buys the apple.com name in a different root, which one's "right"? All of them have reason to argue they are...do you expect users to have to surf to all of them one by one to find the "right" apple.com? Seriously? So now the users have to know about all possible DNS roots? yuk.

You seem to be assuming that the DNS with multiple roots will have very few name collisions except for government-caused ones...I don't think that's a safe assumption at all.

Re:Do it! Do it now!

[wierd_w]

I suppose the first one could be overcome with some local CA blacklists. (why Mozilla accepts a chineese CA I dont know. Seems suicidal.)

The RST packet issue becomes difficult to address without implementing some kind of homebrew device to sit between your router and your private network, that does DPI to look for the RST signals and filter them, then do some creative ACK to make sure the sender didn't send a legitimate one. This would slow network access when ATT sends the abusive RST packets, but slow is better than unstable.

With modern linksys firmware hacks being available, such an approach could be implemented into the router itself. It would be an interesting thing for the router to automatically log and report on too.

Re:Do it! Do it now!

[wierd_w]

Easily enough resolved with a firm root-level policy:

Mirror ICANN, EXCEPT for blacklists.

The idea is a not-for-profit alternate root. Not a "For profit" alternate root.

Re:Do it! Do it now!

[LostCluster]

Yep, and that's the reason why we have ISP DNS, Google's 8.8.8.8 offering and OpenDNS all offering lower-tier servers so if you want to know where Google.com went, you can ask Google. Most of the DNS fouls such as taking all NXDOMAINs and returning a "search portal" are done by the low-level guys, not ICANN.

Re:Do it! Do it now!

[gclef]

DNSSec, won't solve the multiple-root problem, though. If each root has a separate trust entry point, and the sub-entries are correctly signed, you won't be able to tell which one's accurate, just that the answers are verified by the root. You'll still be left with very confused users.

This happens today with SSL, it's just harder to see: if two different SSL registries issue certs for "google.com", which one's right? If you trust both of them, then the answer is "both." The same will be true for the multiple DNS roots if they use DNSSec: you'll be able to tell for certain that the answer is correct from the point of the root, but which root is *right* will be far less clear.

Re:Do it! Do it now!

[interkin3tic]

An alternative name registry service would do wonders to cripple the whole "internet censorship" bandwagon that has been going on recently. Blacklists? Rendered at the very least 2X as difficult to implement on a national scale, simply because the clients you are attempting to prevent from accessing content can reach that content by using the alternate name resolution service.

For five minutes or less before the proponents of the blacklist say "This goes for those guys too."

Re:Do it! Do it now!

[gclef]

If you're just going to mirror ICANN's root, why bother? (And why would ICANN or anyone tell you what the blacklisted domains are? They'll just drop them from the list of registered domains.)

Re:Do it! Do it now!

Even if there was an alternative to the current DNS system of lookups, who says that we'd even be "allowed" to use it? There are already accusations of alternative DNS blocking by ISPs.

Re:Do it! Do it now!

[c0lo]

It would make measures like the Australian blacklist falderall all that much more difficult to actually pull off, and would render efforts like COICA similarly difficult.

Do it. Do it now.

If it is for making the Big Brother's job slightly more difficult, until yet-another-TDL-DNS gets created, maybe you can trust some OpenNIC DNS-es? Just asking.

Re:Do it! Do it now!

[MagicM]

Question: which root do you ask for google.com? All of them? What if they reply with different addresses...which one's right?

Given the fact that there are thirteen root servers, those are actually very good questions. Do you know the answers?

Re:Do it! Do it now!

[LordLimecat]

Except blacklists arent being aplied at the root DNS level last time I checked, so its pretty irrelevant. Youre looking for a solution to a problem that doesnt exist. Australia can simply filter dns responses as they reach the mainland, since theres only one or two lines entering the country. Even if you have alternative roots in Australia, the ISP can filter stuff as it heads towards your modem.

Changing DNS settings will never be the fix for censorship unless the person censoring hasnt yet gotten out of networking 101.

Re:Do it! Do it now!

[LordLimecat]

Im not sure I agree with the assumption that is the cornerstone of your argument:

In order for the government to keep track of DNS entries that it has "Confiscated", it has to apply it to easily identifiable name servers.

What makes you think this is the case? Why cant they simply store that info in a database?

Re:Do it! Do it now!

[LordLimecat]

Cant we just check for the evil bit in the DNS responses? If 1, drop the response, if 0, accept it in the mirror....

Re:Do it! Do it now!

[OverlordQ]

If they dont, and neither points to a known placeholder, "ASK", allow the user to try both and then pick the appropriate one.

How is this supposed to work? I could register facebook.com put up a phishing page that looks exact the same and then if we used your system, how does the user know which one is right?

Re:Do it! Do it now!

Easy whichever is quickest! or have a personalised weighting system.

Re:Do it! Do it now!

[gclef]

But they all (intentionally, and by design) respond with the *same* *data*. The fact that there are 13 of them doesn't change the fact that there is only one root *zone*. What's being proposed is having different root zones, and so the assumption that the different roots will answer with the same information goes out the window.

Re:Do it! Do it now!

[shentino]

Unfortunately the evil bit *won't* get set in the event of mere incompetence.

Re:Do it! Do it now!

[BCoates]

You're right, there is no objective way to say which is the "correct" google.com, you have to have some trusted body giving out monopolies on individual names. But that's not the problem that needs to be solved: the problem here is the body revoking names afterwards.

I think that it *is* possible to create a system where names are assigned permanently and can't be taken back. It might look something like this:

1. You buy example.com in the traditional manner from an untrusted legacy registrar.
2. You generate yourself a public/private keypair, and with it claim ".hash" or somesuch. These domain names won't collide and you can prove your ownership with a digital signature.
3. Any of several partly-trusted CAs signs a non-expiring DNS record pointing example.com to .hash.
4. Said CA retires their certs rapidly, say weekly, and publishes the entire list of signed DNS records somewhere publicly accessible. Each signature links to the next in a manner that proves they have signed no other records with that cert. (*)
5. You upload your signed example.com record to both the legacy DNS and a secure hash-based p2p network. (**)
5. You upload a regular, updatable/expiring DNS record for .hash into said network as well.
6. Upon doing DNS lookup, DNS servers ask the p2p network for valid, signed records; if they exist they are cached and the legacy DNS is not consulted. If not (or more likely in parallel), legacy DNS is asked and if a valid, signed *.hash redirect is found it's cached and reinserted into the p2p network (hopefully forever). Only if no signed records at all are found is the old, vulnerable record used.

If ICANN/the department of louis vitton/whoever tries to hijack the domain name, they'll only do so for users not on the new system. Upgraded users will ignore the change.
If the CA tries to make forged records to redirect your permanent redirect it will be invalid (if done after the fact) or publicly detectable (if done in advance).
If you're running a security-aware DNS client and your middle-tier DNS server is up to shenanigans the certs won't verify.

The best part is this could be done from the middle-out without the consent of ICANN or need to reconfigure client devices--you just need one upgraded DNS server anywhere in the hierarchy above you.

There is no possible after-the-fact ambiguity over who owns the name so long as all the CAs get together and promise not to re-assign an already used name (which would be detectable and should result in them being banned from making further assignments)

(*) I think this is a solved crypto problem and a workable solution is described in the 1996 version of Bruce Schneier's Applied Cryptography but I don't remember where I put it
(**) This is a theoretically a solved problem and mostly solved in practice

Re:Do it! Do it now!

[shentino]

It's still ICANN's fault for letting them get away with it.

Re:Do it! Do it now!

You would be making the mistake anyone who wants an alternate root gives a crap about any commercial organisation.
We as humans deal with name space collisions every day, with our very own names, I think if we can handle it in real life, we can deal with it on here.
As with all open source things, you are free not to participate, but you can always join later.

Re:Do it! Do it now!

[scdeimos]

Australia can simply filter dns responses as they reach the mainland, since theres only one or two lines entering the country.

You must be using out-of-date info from someone like telegeography. Even The Guardian shows six internet cables coming into Australia and Greg's Cable Map shows seven (plus two to Papua New Guinea and Vanuatu).

Re:Do it! Do it now!

[mysidia]

If each of them buys the apple.com name in a different root, which one's "right"

We just need a 'mutual exclusion' policy.

An agreement between the 'roots' to publish a list of active registered domains and check the other roots' list of domains when any registration is requested.

And deny new registration requests if the domain is already in a list.

Good luck convincing the existing gTLD operators to go along with that.

Alternatively your "alternate .COM registry" could have a policy of paying an ICANN registrar to register the domain, and requiring that registration go through, before your alternate root will register the domain.

Re:Do it! Do it now!

[sg_oneill]

The hope would be that the alternative root largely mirrors to primary root, but differs where censorship or govt induced bad behavior occurs.

That said, if they knocked out the domain squatters too, it'd be the greatest thing ever.

I mean lets be honest, with 90% of the .COM space squatted by parasites, ICANN is not proving itself to be exactly competent here.

Re:Do it! Do it now!

[blueg3]

Facebook.com has multiple IP addresses. Would you like to go to 123.52.13.12 or 125.32.13.12?

That's a great solution, sure to confuse nobody!

Re:Do it! Do it now!

[blueg3]

DNSSEC? So, replace a single-root, authoritative domain name system with a single-root, authoritative system system for validating DNS response?

Re:Do it! Do it now!

[tokul]

Messy. Question: which root do you ask for google.com? All of them? What if they reply with different addresses...which one's right?

IMHO google already does it in current single-root DNS layout.

Re:Do it! Do it now!

Or they can decide to only try one dns and then they get the very same function we have now.
In my book the wrong Apple company got the domain apple.com.

I wouldn't mind the possibility to change to a DNS where everything is right.

Re:Do it! Do it now!

[Kalriath]

It would make measures like the Australian blacklist falderall all that much more difficult to actually pull off, and would render efforts like COICA similarly difficult.

No it wouldn't. Most blacklists work by hijacking the BGP announcements for blocked addresses, and therefore changing the route to the IP independent of the DNS records.

Re:Do it! Do it now!

This is a stoppind question, but maybe we could use the protocol part of the address to determine which dns root to ask. Instead of http make it openhttp? Or even better: icann://http:// and opennic://http://, have the browser download and cache dns mirrors for each one. Or add the capability to dns servers to ask from them an address that came from one or the other root.

Re:Do it! Do it now!

[lordmetroid]

I think this is a great idea.

Re:Do it! Do it now!

Just prioritize them in a user-definable way. I'd ask Sunde's server first and ICANN root servers only if the free server doesn't give an anser in time. Very simple.

Re:Do it! Do it now!

[rs79]

"Messy. Question: which root do you ask for google.com? All of them? What if they reply with different addresses."

What if they don't? Can we agree that would work?

(Besides, you don't ask "the root" for "google.com" you ask it for the pointers (NS records) to .com, then you ask those servers for the pointers to google.com.)

Re:Do it! Do it now!

[rs79]

There are thirteen root server addresses. There are hundreds of physical root servers behind those. Vixie has been working on this for over a decade.

It almost works now, too.

Re:Do it! Do it now!

[gclef]

If they don't, then why bother using the alternate root? If ICANN's root and the alternate will always be identical, what's the point in the alternate?

Re:Do it! Do it now!

Question: which root do you ask for google.com?

You don't ask for google.com on a root server, you ask the .com TLD server for an authoritative answer. And most of the times, users don't do that, they just get an unauthoritative answer from their ISPs. So your question should be "how do I determine the authoritative name server for .com?", which is a fair question that needs to be solved.

But the ICANN solution "we have only 1 root and you'll have to trust it" is both prone to mismanagement and antithetical to the distributed nature of the Internet. DNSSEC is a step in the right direction, as long as a third party exists that can confirm a server's claim that it is the rightful authoritative root for a TLD. Now your question reduces to "how do I verify the cryptographic signature of a self-proclaiming authoritative TLD server?", which is a public-key cryptography problem that has been solved ages ago for securing websites. As an example, Monkeysphere uses P2P communication to distribute such trust chains.

The fact that there aren't good answers to these questions is a big part of why we've tried to avoid splitting the DNS roots

But the answers are getting better every year. In fact, the Tor network has been relying on distributed name resolution since its inception.

Re:Do it! Do it now!

Unfortunately the evil bit *won't* get set in the event of mere incompetence

Simple. Don't use a bit then. Use a trit.

1 - evil
0 - good
U - incompetent

Re:Do it! Do it now!

That would be the reason why you use the signed root as a fallback, and add trust anchors for every ccTLD (and gTLD? mabye... anyone using a gTLD will *have* to play by the music of the USA anyway).

If the root says one thing, and the manual trust anchors say something else, the manual trust anchors win.

BIND 9.7.2 can do this and keep the anchors up-to-date.

Re:Do it! Do it now!

What, why not?
You do realize almost 90% or more of web users GOOGLE their websites, right?

This ended up with hilarious results when a website managed to get on top of Facebook in the search results for facebook, but it ALSO had Facebook Connect for comments.
So here we have a right bunch of idiots thinking this blog is facebook and their profiles have been deleted!
Other cases it isn't so pleasant because the websites in question are hijacking sites, phishing sites and similar nasty sites.

Just do some crap like apple.com;ICANN, apple.com;AltNS, default it to ICANN, problem solved.
This is done at the driver level rather than program level. (but programs can default all URLs to alternative routes if they want)
Some programs might throw a hissy fit at you for having a semi-colon in the URL, but it should allow almost all programs to use the system without the need for updates.
Now if only we could find someone (or group) willing to take up the task.

Re:Do it! Do it now!

[knarf]

If each of them buys the apple.com name in a different root, which one's "right"?

Well, you could abuse a well-known notation form to say which apple.com you wanted to visit:

apple.com@icann
apple.com@alternic
apple.com@yournichere ...

Of course this will not work as it since the @ is already taken for authentication purposes. A new symbol is needed for this purpose...

apple.com(icann):80 or apple.com=icann:80 or whatever.

Re:Do it! Do it now!

[TheRaven64]

You don't ask for google.com on a root server, you ask the .com TLD server for an authoritative answer

Exactly, which makes this entire discussion pointless. Having his own root server would not have prevented him from losing ifpi.com, because all the root server does it tell you where to ask for children of the com. domain. He'd also need to have an entire copy of the com. zone, which is huge (and handles a lot more queries than the root server - most DNS caches look up a few TLD SOA records each day and then cache them, something like 95% of queries to the root servers are NXDOMAIN because they come from typos where people mistyped the TLD or imply forgot to add it).

Re:Do it! Do it now!

[rs79]

Because the alternative root will let you see the rest of the net that the US Government censors. The point is not to give you a different com/net/org/whatever, it's to give you those plus the others.

Keep in mind when ICANN was formed slashdot's reaction was "this might not be so bad, they should be given a chnace" despite the fact what is happening now was predicted by some, way back then.

Re:Do it! Do it now!

What its needed its a distributed system of naming domains like the ANDNA of Netsukuku
http://en.wikipedia.org/wiki/Netsukuku#A_Netsukuku_Domain_Name_Architecture

Re:Do it! Do it now!

Different search engines can return different results for the same search terms. People quickly choose which search engine they trust and prefer.

Static IPv6 addresses for everyone.

[steeleyeball]

No more of this Pansy DNS crap. Know your IP address like you know your phone number. Cut these clowns off at the legs. Free the net to the people who know how to use it and won't download viruses to their own computers thinking it's antivirus software... Take charge by taking responsibility from those who don't care and don't know!

Re:Static IPv6 addresses for everyone.

[SanityInAnarchy]

Know your IP address like you know your phone number.

You mean like how I don't know it at all? That's what address books are for, and DNS is a gigantic global address book.

Re:Static IPv6 addresses for everyone.

[0123456]

That's what address books are for, and DNS is a gigantic global address book.

Except other people keep coming in and changing your address book so you go to visit your mother and end up at some porn store or the DHS instead.

The centralised nature of DNS has been a huge flaw in the Internet for a long time, and it should really be replaced. The problem is coming up with a better solution.

Re:Static IPv6 addresses for everyone.

[Demonantis]

It was called internic and it could easily come back because of this. Especially for sites the government is trying to block. The next most likely thing would be multiple DNS networks and everyone just gets used to having to switch depending on what they want to go to. Could easily be rectified at the browser level by "dialing in" that session's DNS ip. Eventually the most bipartisan DNSs would get used the most. ISPs would actively pursue an effective DNS system to maintain their consumer base in areas with no monopoly. There is nothing limiting there being many DNSs other then the fact that consumers would have to learn more about how the internet actually makes the magic happen and the general confusion that would ensue from that. Plus all the phishing of domain names.

Re:Static IPv6 addresses for everyone.

[Mitchell314]

Look, there's no way you're going to convince me to remember one IP6 address, let alone a bunch of them. That's 32 hexadecimal digits.

Re:Static IPv6 addresses for everyone.

[Obfuscant]

...so you go to visit your mother and end up at some porn store or the DHS instead.

My mother runs a porn store on the second floor of the local DHS building, you insensitive clod.

Or "in Russia, going to porn store results in visit to mother."

Whatever.

Re:Static IPv6 addresses for everyone.

In Soviet Russian porn store, mother visits you.

Re:Static IPv6 addresses for everyone.

[LordLimecat]

Free the net to the people who know how to use it and won't download viruses to their own computers thinking it's antivirus software...

I do IT work for a living, and I dont even know my routers IPv6 address.... what on EARTH makes you think people will want to keep a list of those?

Has it even occurred to you that there are dozens of legitimate IT reasons to use DNS? Like, say, not having to reconfigure all of your VPN clients every time you do an ISP change? Or enabling your finance folks to use email on the road through a web browser?

And while we're at it, you do realize a vast vast vast majority of virus infections do NOT come from people manually downloading and installing viruses, right? That most are from plugin exploits?

Re:Static IPv6 addresses for everyone.

Yeah, I love that one too.

Re:Static IPv6 addresses for everyone.

[camperdave]

Look, there's no way you're going to convince me to remember one IP6 address, let alone a bunch of them. That's 32 hexadecimal digits.

I prefer to think of it as eight "quads".

Re:Static IPv6 addresses for everyone.

Know your IP address like you know your phone number. Cut these clowns off at the legs. Free the net to the people who know how to use it and won't download viruses to their own computers thinking it's antivirus software... Take charge by taking responsibility from those who don't care and don't know!

I love it!
Don't go to mybank.com anymore. Go to http://FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF/
BUT BEWARE! http://FFFF:FFFF:FFFF:FFFF:FFFF:FFEF:FFFF:FFFF/ is a phishing site - you don't want to go there.

Re:Static IPv6 addresses for everyone.

[SanityInAnarchy]

The problem is coming up with a better solution.

Indeed.

And I really can't think of a better solution which lets me type slashdot.org and have a reasonable expectation of actually getting to slashdot.

Re:Static IPv6 addresses for everyone.

[Anthony+Mouse]

The centralised nature of DNS has been a huge flaw in the Internet for a long time, and it should really be replaced. The problem is coming up with a better solution.

OK, how about this:

You take the existing SSL certificate authorities and the existing certificates for websites, which contain their domain names. You create a new "root" which is really a distributed collection of root servers in which anyone may participate. Website operators send their SSL certificates to any one of the root servers (ideally one trusted enough to propagate it), showing that their domain has been verified by a certificate authority as belonging to them. The website operator also signs the IP address of the website with the website's public key and a timestamp (so that updated IP addresses have newer timestamps) and sends the signed IP address(es) to the root server. The root server propagates the website's certificate and the signed IP address to all of the other root servers. If the certificate is signed by a CA which is trusted by the root server, it then starts handing out the signed IP address in response to queries for that domain name (we can even use the existing DNS protocol for this). If a CA starts maliciously signing certificates for websites for people who don't really own them, "your" root server can stop trusting that CA (and if it doesn't, you can get a new root server).

The advantage of this design is that you can't remove websites from the system except by the CA revoking their SSL certificates, which if it happens will just create a market for "bulletproof" certificate authorities. The website is using its own key to sign its IP address and once that signature is distributed to all the thousands of distributed root servers, there is no central location to remove it. At best a different CA under the influence of a censorial government could be coerced into signing a certificate for the domain name to the government instead of the owner, but all that requires is for your root server in the case of conflict between CAs for the same domain to prefer the bulletproof/incorruptible CAs to the corruptible ones.

At that point you can eliminate ICANN's role in DNS and replace it with a covenant between all the certificate authorities not to issue a certificate for a domain already issued by another certificate authority to anyone other than the same party, the consequence for violating the covenant being that the various distributed root servers will stop trusting that CA.

Since anyone sufficiently trustworthy can be a CA and anyone can run a root server because all the root servers are doing is caching a bunch of signed certificates and signed IP addresses, you get fully-distributed secure DNS with no ICANN.

Re:Static IPv6 addresses for everyone.

[somenickname]

This isn't as unreasonable as it sounds.

I remember getting a huge foldout "Map of the Internet" in PC Magazine in the early 90s. In that era you really needed something like that to seed an address book (or circle of trust) because everything from your browser to search engines was so primitive. If I remember right, some of the addresses in that map were just IP addresses and it made no difference at all. You were going to type something odd into the URL bar anyway so, who cares if it's random numbers or a domain name. You were going to bookmark it if it was interesting regardless.

Not too long after that, you could type something like, "dell.com" into the url bar and be pretty sure you'd end up where you expected to be because it was becoming common for companies to have a presence on the web. For a few years, domain names were pretty useful because of this but, quickly after that, the domain name landgrab started and the idea of guessing a url became less commonplace (whitehouse.com... enough said) that the internet was best navigated by search engines. Then browsers starting featuring a search bar right next to the url bar because that was a more reliable way to get where you wanted to go. After that, plain old url bars started to be replaced by "smart" url bars that would try to figure out where you wanted to go based on history, bookmarks, etc.

Basically, who even uses domain names for navigation now? In firefox, if I hit Ctrl-L and type "dell" it's going to find it in my history and take me where I wanted to go. If I hit Ctrl-K (which, is far, far more likely than hitting Ctrl-L now) and type "dell" it's going to lead me to the same place. I've found the place I was looking for before I've even made a DNS query for it. So, why bother having DNS at all? If 99.99% of my DNS queries could just as easily be resolved by bookmarks, history, /etc/hosts, smart url bars and search engines, what possible value does DNS offer me over global static IPv6 addresses? A domain name and a IPv6 address are equally as unlikely to be typed into my url bar.

Re:Static IPv6 addresses for everyone.

[scdeimos]

And while we're at it, you do realize a vast vast vast majority of virus infections do NOT come from people manually downloading and installing viruses, right? That most are from plugin exploits?

Yeah, right. Because nobody at all falls for those "Your computer's time is out of sync!" or "A virus is trying to infect your computer!" popup messages. I had to pat my fiancée on the head just last week for clicking one of those... luckily she has a guest-like account, so almost no damage was done.

Re:Static IPv6 addresses for everyone.

[tirerim]

You don't need to remember it -- that's what /etc/hosts is for. Copy it in once, and you can use a name just like it was registered.

Re:Static IPv6 addresses for everyone.

[Splab]

Most people I know don't know their own phonenumber without looking in their contact list on their mobile phone...

Re:Static IPv6 addresses for everyone.

[Yaa+101]

But you are going to remember thousands of domain names?

How about bookmarking the IP Numbers?

I only use IP numbers when I am doing things like SSH sessions to keep of MITM attacks...

I would have none trouble using IP only in my browser when needed, and that time is nearing fast.

Re:Static IPv6 addresses for everyone.

[lordmetroid]

You run your own address book. Just like in your cellphone.

Re:Static IPv6 addresses for everyone.

I had to pat my fiancée on the head just last week for clicking one of those

You slapped the bitch?

Re:Static IPv6 addresses for everyone.

[Ash-Fox]

who even uses domain names for navigation now?

I can speak for myself when I say that I do. I don't rely on the "smartbar" or search engines for the most part. I would have a hard time remembering IP addresses or random characters.

Re:Static IPv6 addresses for everyone.

[imakemusic]

But before everyone had a phonebook in their pocket most people could remember their friends phone numbers...

Re:Static IPv6 addresses for everyone.

[Ash-Fox]

But you are going to remember thousands of domain names?

google, quickfox, subnova, slashdot, zimbra etc. are far easier for me to remember than a bunch of numbers. So, yes, far more likely to remember thousands of domain names than IP addresses.

Re:Static IPv6 addresses for everyone.

[Ash-Fox]

You run your own address book. Just like in your cellphone.

What? Why on Earth would my mobile phone be manually run!? I much prefer it to automatically download all my contact details that are are usually having a few contacts which have minor changes every month off facebook, Zimbra, Skype etc. which it does right now.

Re:Static IPv6 addresses for everyone.

[Vernes]

You can't because you don't.
Do and you will.

Re:Static IPv6 addresses for everyone.

Know your IP address like you know your phone number.

I don't know my phone number. But that's ok, I never call myself, and even if I would I'm sure I'd get a busy tone

Re:Static IPv6 addresses for everyone.

Come on! Everyone knows Internic never checked their logs, never changed their password, and you could *always* use them as your first hop when hacking.....

Re:Static IPv6 addresses for everyone.

[rdnetto]

It depends on your luck. Mine is really simple, I got ::1

Re:Static IPv6 addresses for everyone.

[SanityInAnarchy]

Then how do I get the IP for Slashdot in the first place?

And how would a static IPv6 address solve anything, anyway? The same organization that's ultimately responsible for DNS is also ultimately responsible for assigning IP addresses.

Re:Static IPv6 addresses for everyone.

[Douglas+Goodall]

I hate this idea for the same reason I hate the current CA system. I wasn't paying that much attention to the relationship of verisign and netsol, but it seems verisign (who bought thawte) has a veritable monopoly on server certificates. A perfect example of how that goes bad was the issuing of the bogus microsoft.com signing cert that compromised microsoft's active X controls. A little bit of social engineering, and poof, there goes another rubber tree plant.

Oh the idea is elegant, I give Anthony that. But the only entity I can trust is the LORD GOD and if we could get him to sign certificates (root@universe.org), then we could really have a chain of trust. Another part of what is going wrong is the IPV4 system, whose shortage of addresses gives ICANN the power to charge big bucks for IP allocations, and to make policy about how addresses are granted, and to whom. I don't have a workable better idea, but hanging the IP's and domains off the CA's (commercial assholes) bothers me.

Re:Static IPv6 addresses for everyone.

[Anthony+Mouse]

A perfect example of how that goes bad was the issuing of the bogus microsoft.com signing cert that compromised microsoft's active X controls. A little bit of social engineering, and poof, there goes another rubber tree plant.

This is the problem with any trusted party. You get the same thing with existing DNS. Basically any solution you can come up with to prevent Go Daddy from changing your DNS entry to point at some other server can be used to prevent your CA from signing certificates on your domain for people who aren't you.

But the only entity I can trust is the LORD GOD and if we could get him to sign certificates (root@universe.org), then we could really have a chain of trust.

Right, trust is a problem. But you only have two choices: Either you trust someone who doesn't fully deserve it, or you verify everything yourself. And good luck convincing the general public to do the latter.

The advantage with CAs is that nobody actually has a monopoly and there is, monetarily at least, a low barrier to entry. The biggest barrier is that if you want to be a CA you have to be someone people trust. And I agree that most of the existing CAs are "commercial assholes" -- but why does it have to be that way? Don't we have people that we can trust, at least as much as we trust Verisign? Why can't we have the people who make Debian or run the Pirate Party or work for the EFF or La Quadrature du Net operate a noncommercial certificate authority that could sign a certificate for wikileaks.org? Don't we have all kinds of great encryption schemes where you can let any five out of a group of eight people in eight countries sign a certificate without any of them being able to do it individually even under coercion? This can't be an unsolvable problem.

But...

[Aerorae]

FTA-
"His plan involves the creation of a dns root server to begin with that uses PEER-TO-PEER technology and is SECURE"

uh...I'm pretty sure those two things normally don't go together...

Re:But...

[Josh+Triplett]

Many secure peer-to-peer systems exist, generally based on cryptography; often they provide more security than centralized systems.

For instance, Tor uses secure cryptography to provide anonymity in a way that just wouldn't work in a centralized system. i2p uses cryptographic security as well.

Re:But...

[Daniel+Phillips]

"His plan involves the creation of a dns root server to begin with that uses PEER-TO-PEER technology and is SECURE"

uh...I'm pretty sure those two things normally don't go together...

I don't know where you got that idea from, have you never heard of network of trust?

Re:But...

[icebraining]

Sure they do. See Tor, I2P or Freenet.

Re:But...

Amen.

I wish someone would hurry up and right a worm that creates Tor and Freenet nodes en masse.

Re:But...

[HelloKitty2]

I think you missed the point, you can have a, by your definition, "secure" system with SSL, but still have gaping holes in whatever is at the other end. Such as, idk. . some well meaning Russian with lots of money to pay thepiratebay to join their "network". But with the business that thepiratebay is in, nothing in secure while in their hands in the first place.

Re:But...

[HelloKitty2]

As if nobody can snoop on, and redirect traffic, with tor...

Re:But...

[Josh+Triplett]

I think you missed the point; I didn't give a "definition", I gave a few examples to make the point that P2P systems and security can indeed go together. The post I replied to seemed to have the impression that P2P and security didn't mix.

Re:But...

[icebraining]

Not if you connect to a known SSH or SSL endpoint. Tor was designed to protect privacy, and it works even if the exit node is rogue.

Re:But...

[icebraining]

Sorry, not privacy, anonymity.

Re:But...

[Ash-Fox]

I gave a few examples to make the point that P2P systems and security can indeed go together.

Is that why I ban TOR relay nodes on my IRC network since only ban evaders appear to use it? Great security strategy.

Re:But...

Is that why I ban TOR relay nodes on my IRC network since only ban evaders appear to use it?

No, you block TOR relay nodes because you foolishly believe that an IP address uniquely identifies an individual.

Re:But...

[Ash-Fox]

No, you block TOR relay nodes because you foolishly believe that an IP address uniquely identifies an individual.

Nope, I don't. Why would I think that? That's just silly. You obviously have no grasp of what I am talking about.

Re:But...

[Burz]

As if nobody can snoop on, and redirect traffic, with tor...

Granted, but that's just Tor (and only with access to non-.onion domains). You can't do it with a network like I2P, because all destinations are .i2p (like .onion).

The other things that make I2P different besides the constant security are that its built to handle P2P transfers and it has no central authorities.

Re:But...

[BitZtream]

No they don't, if you knew anything about them you'd understand why they don't make anything more secure, they depend entirely on trusting that the others in your system are telling the truth.

So instead of dealing with one registry that might be lieing too you, you have to ponder if everyone on the internet is lieing too you.

Contrary to what you people think, peer to peer is 99.999999% time the WRONG way to do something.

For instance, Tor breaks down completely if the entrance node doesn't 'follow the rules' and not tell anyone who you are. There are ways to take advantage of dirty intermediate nodes and exit nodes as well. But don't let reality cloud your judgement.

P2P simply makes it harder to control, thats it.

Harder to control is not a good thing for the DNS system.

Re:But...

[Josh+Triplett]

There's no such thing as an "entrance node" in Tor; the first hop is encrypted, and at most the first node you contact can say "the system talking to me uses Tor". While that may cause you some problems in environments that prohibit use of Tor entirely, Tor doesn't have that as a security goal; Tor just ensures that nobody can figure out both endpoints, and it does that quite well as long as no one entity can control a significant fraction of the nodes on the paths you use.

As for trust, you generally have to trust *someone* in a system, but you want to reduce the number of trusted entities to the minimum. For instance, when talking to example.org, you ideally only want to trust example.org to provide the content you expect; you shouldn't also have to trust "org" and the root to not take over the site.

That doesn't mean you want naming by consensus, either; that could have the "everyone on the Internet is lying to you" problem you described.

DNS (perhaps with DNSSEC) might even remain a reasonable protocol to use on individual domains, such as to allow "example.org" to provide "www.example.org" and "planet.example.org". However, having a central "org" registry with control over "example.org" puts control in the wrong place, and allows abuse.

Good plan!

Not so much to defense against the recording industry but there are countries (well 2 in particular) that want to control the internet. Imagine that kill-switch the US wants so badly... Wikileaks would be gone. So I think this is a fairly good plan, albeit with some major technically issues to overcome. The best way for everyone would be a system like tor/.onion. But with much better encryption and blind routing. Having said that, I wouldn't have a clue to implement it. One thing is for certain, there should not be 1 organization or 1 government with absolute powers over the internet. The internet is in essence like the air we breath. A right, not a privilege in this day and age.

Decentralized naming is hard

[Josh+Triplett]

On the one hand, I absolutely want to see control over domain names taken out of anyone's hands (not just ICANN's).

However, decentralized naming is a *hard* problem. Only one entity can control a given domain name, and something, either human or automated, must decide who gets that domain name. Whether by fiat or general consensus, some process must exist to handle the case where multiple people want the same name. ("First come first served" does not suffice unless you have fees or some other measure to prevent mass registration, and decentralized control makes those measures difficult.)

(Numbers, by comparison, prove quite trivial; just use public keys. But people don't like typing in long numbers, they like typing in *names*.)

Re:Decentralized naming is hard

[hey!]

Hard it may be, but it has been solved, and all the necessary protocols and software exist to implement the solution. All you need is an alternative organization and the ability to convince the people you are interested in convincing to use the new servers.

As for the policy challenges you mention, Mr. Sunde doesn't *like* the way ICANN solved those problems. In fact he detests it so much he's willing (or thinks he's willing) to chuck the policy and organization that controls it out the window. Or perhaps he'll figure out a way to use his preferred servers and fall back to ICANN's DNS.

Re:Decentralized naming is hard

[jack2000]

For starters mirror the current root dns but refuse to remove any domains if they were tampered with by the RIAA and the like.
Remove all squated/harvested domains. (It's easy detect those), smarter people could think of what's next but this is a pretty good start.

Re:Decentralized naming is hard

Do you have a suggestion on how to fund it? I don't think the donation model works very often, and a paid model is tough to implement, making sure both paying people get the service, and that unpaid users don't drain the system too much.

Re:Decentralized naming is hard

[KonoWatakushi]

Why continue with the concept of name ownership at all? It should be technically impossible to own a name, in the same way that it should be impossible to monopolize ideas.

Let people and entities use whatever name they want; the remaining problem is to verify that you are talking to the right host, but you should need to do that anyway. Invariably, any sort of central authority can and will be subverted. What is necessary is some other means of conveying trust, wether that is a web of trust, or some other out of band option.

This is what I believe we should strive for. The distributed naming system and trust system are orthogonal problems, but need to integrate in a convenient way. So, it is still a hard problem, just not in the same way.

Re:Decentralized naming is hard

[JesseMcDonald]

The model underlying Bitcoin may provide a solution. Basically do the same thing, but with domains instead of virtual coins. The peers self-regulate the work required to solve the next block such that a fixed number of blocks (domains) are allocated per unit time; the allocation would be "first come first served", but there would be no possibility of mass registration. Once a name is allocated it can be updated at-will by the one holding its private key, or transferred to another user. Updates and transfers would take the place of Bitcoin's transactions, and be included as part of the next block.

Re:Decentralized naming is hard

[rantomaniac]

Using public keys as addresses would be pretty sweet, but how do you route traffic through a network with randomly distributed addresses? Ad-hoc routing can work on small scales, but there'd be serious issues making a global network like that.

Re:Decentralized naming is hard

[burris]

after Zooko: names can be secure, memorable, or global - pick two. DNS is memorable and global but not secure. Public keys are secure and global but not memorable.

Re:Decentralized naming is hard

[Tacvek]

In case you don't know, the root zone is a text file that is only a little over 200 kB. It has only a handful (relatively speaking) of domains. The official root zone is published, and you could set up your own DNS server that serves it. [1]

The important servers are the gtld zone servers. Those are the ones with millions of domains. They are the ones that the federal government is meddling with. They handle insane volumes of traffic [2]. To the best of my knowledge the gTLD zone files are not publicly published, meaning that it would not be possible to set up an alternative version of it like you seem to be proposing.

Footnotes:
  [1] Granted, you would need to set up your recursive DNS resolver to use your root server, but that is easy enough to do. Even DNSsec would work fine in such, since DNSsec only authenticates the response, and does not care who sent it.

[2] Thankfully the DNS system has caching, or it would be cost prohibitive to continue to run the GTLD servers.

Re:Decentralized naming is hard

[complete+loony]

There's no reason for DNS resolution to go through any centralised server. Use a distributed hash table to publish and retrieve records and sign them. Of course you'd still need a central authority to issue and sign certificates.

Re:Decentralized naming is hard

[shungi]

What is necessary is some other means of conveying trust, wether that is a web of trust, or some other out of band option.

This is what I believe we should strive for. The distributed naming system and trust system are orthogonal problems, but need to integrate in a convenient way. So, it is still a hard problem, just not in the same way.

In a way, this is what facebook does. (I know this wont be a popular opinion, and actually, I hate that I said it but it seems true).

Re:Decentralized naming is hard

[Josh+Triplett]

For starters mirror the current root dns but refuse to remove any domains if they were tampered with by the RIAA and the like.

Remove all squated/harvested domains. (It's easy detect those), smarter people could think of what's next but this is a pretty good start.

That wouldn't solve the problem; that would just move control from a group that *definitely* shouldn't have it to a group that would make it marginally better in a few narrow cases. I said "decentralized" because I'd like to see a system where *nobody* has that control. I don't just want to see a centralized system with a different center.

Re:Decentralized naming is hard

[Josh+Triplett]

Why continue with the concept of name ownership at all? It should be technically impossible to own a name, in the same way that it should be impossible to monopolize ideas.

Let people and entities use whatever name they want; the remaining problem is to verify that you are talking to the right host, but you should need to do that anyway. Invariably, any sort of central authority can and will be subverted. What is necessary is some other means of conveying trust, wether that is a web of trust, or some other out of band option.

I'd gladly use a system like that. You can trivially "name" systems using their public key fingerprints, which then just means you need to *find* those sites. Right now, people find those sites three ways: they use a search engine like Google and get a link (not a problem), they follow a link from another site (not a problem), or they type in an address (problem). To handle that last one, note that the address has to come from somewhere; that source could always provide things like QR codes or other mechanisms to identify a particular address without having to enter the whole thing.

Good luck migrating from the existing system, though.

Re:Decentralized naming is hard

[Josh+Triplett]

Using public keys as addresses would be pretty sweet, but how do you route traffic through a network with randomly distributed addresses? Ad-hoc routing can work on small scales, but there'd be serious issues making a global network like that.

That's actually an easier problem, known as "location-independent identifiers". Most ad-hoc routing protocols tend to flood-fill the network, either when calculating routes or when routing packets. However, ad-hoc routing protocols do exist that avoid flooding, and those protocols can scale.

Virtual Ring Routing can handle Internet-scale networks by treating them like small-world networks, using the same mechanism distributed hash tables use: treat the addresses as a ring, and use a combination of your physical neighbors and your "virtual" neighbors on the ring to cross long distances. A later paper on VRR showed that it scaled quite well with the size of the network, both in the expected length of the routing path and the expected number of routing table entries needed on each node.

We got a team of students to develop an implementation of VRR for Linux, and Microsoft Research has an implementation for Windows.

So yes, we can solve the routing problem easily enough. We just need some way to handle naming that the general public will put up with.

Re:Decentralized naming is hard

[Josh+Triplett]

There's no reason for DNS resolution to go through any centralised server. Use a distributed hash table to publish and retrieve records and sign them. Of course you'd still need a central authority to issue and sign certificates.

That decentralizes the boring bit of the problem. You still have to trust the central authority to not abuse their power, and that doesn't work.

Re:Decentralized naming is hard

[aaaaaaargh!]

How about this: Use random numbers as names and translate them to IP addresses. Then let end users translate from names of their choice to such a number. So e.g. you visit site 16252672 and if you want, you can tell your browser to know it by the name of "Apple" -- or "expensive crap", just as you like. The browser translates "expensive crap" to 16252672 and a DNS server translates 16252672 to 17.149.160.49.

I would much prefer this system over the one we have now.

Re:Decentralized naming is hard

[Josh+Triplett]

Doesn't really help; browsers have bookmarks already. That doesn't solve the problem of helping users get to a site from some well-known name. And IP addresses aren't as stable as names.

Re:Decentralized naming is hard

I vote for the Bitcoin model

Re:Decentralized naming is hard

[BitZtream]

All you need is an alternative organization

So I'm guessing you have absolutely no clue what 'decentralize' means, do you?

Re:Decentralized naming is hard

[hey!]

Decentralized doesn't mean there is no organization.

Why?

[0123456]

Can't he just ask the Chinese to redirect the domain to his server?

We'll call it UCANNT...

[moxley]

We'll call it UCANNT *rimshot*

Universal Co-op for Assigned Names, Numbers and Timeservers

Seriously though, I do think a backup system would be a good idea....It's needed in order to stop the growing attempts (that I think we're going to see a lot more of) to control, censor, filter, and police the internet....Due to the practicalities involved in how the system works, I am not certain how plausible it would be to have two competing systems while everything is working smoothly, and there are other points where the system could be messed with, but having a framework in place might not be a bad idea with the political realities we live in...

Re:We'll call it UCANNT...

It's not such a bad idea. In fact, make it a protocol different from DNS.. P2P-based, vote-based resolution. All it would take is an alternate DLL/.so for the new scheme, and an organized effort to support the new protocol as a drop-in replacement for DNS/bind. Sure it'll be a bit painful during the transition, but once there are win32 and linux libs that all apps can use, it'll be wonderful looking back at the quaint, centralized, vulnerable-to-hijacking-by-govts-and-corps DNS as the anachronism that it is.

Re:We'll call it UCANNT...

P2P vote-based? So you want to replace the current system with one that is vulnerable to hi-jacking by botnets?

Part of me would like to do this.

[hey!]

It's the same part of me that, were I holding a cigarette lighter and a stick of dynamite, would be tempted to light the stick and throw it like they do in the movies, just to see what an exploding stick of dynamite really looks like. There's been so much greed and stupidity around the DNS, and it would be so *feasible* for someone to set up an independent alternative, I'd sort of like to see what it would look like when the existing system is blown to kingdom come.

However -- were I ever to be holding an actual stick of dynamite in my hands, the part of me that tends to say things like "this is not the optimum time to make an impulsive decision" would become quite strident. It's not that I would never, under any circumstance light a stick of dynamite and throw it. It's just that it being a really cool idea wouldn't be enough to make me try it until I'd thought through the consequences very, very carefully.

And as it stands, the DNS system does me more good than it has ever harmed me, and likewise for the vast majority of people who use it. It might be that giving *serious consideration* to a competitive system would do a lot of good, but a competition between two systems in which both survived would almost certainly be a bad thing.

Re:Part of me would like to do this.

[camperdave]

There are all sorts of alternative DNS systems: OpenDNS, UnifiedRoot, DNSAdvantage, just to name a few. The kick is getting people to use them.

Re:Part of me would like to do this.

[Anthony+Mouse]

It might be that giving *serious consideration* to a competitive system would do a lot of good, but a competition between two systems in which both survived would almost certainly be a bad thing.

So why not design a system that peacefully coexists with the existing system? For example, do something like this but if you would get NXDOMAIN in the specified system (perhaps the site has no certificate or has not uploaded it to the distributed root) then forward to the existing ICANN DNS root. If that system then fully succeeds and the ICANN DNS root becomes redundant, the ICANN root falls into disuse and the system perpetuates without it. If it ends up only being used by greybeards and EFF members then it still provides the stated benefits to those people without really hurting anything.

Re:Part of me would like to do this.

[grcumb]

It's the same part of me that, were I holding a cigarette lighter and a stick of dynamite, would be tempted to light the stick and throw it like they do in the movies, just to see what an exploding stick of dynamite really looks like. There's been so much greed and stupidity around the DNS, and it would be so *feasible* for someone to set up an independent alternative, I'd sort of like to see what it would look like when the existing system is blown to kingdom come.

However -- were I ever to be holding an actual stick of dynamite in my hands, the part of me that tends to say things like "this is not the optimum time to make an impulsive decision" would become quite strident. It's not that I would never, under any circumstance light a stick of dynamite and throw it. It's just that it being a really cool idea wouldn't be enough to make me try it until I'd thought through the consequences very, very carefully.

Dude, you made it all the through that metaphor without once throwing in a firewall reference?!?

Man, that's so lame, I oughta take this here stick o' dynamite and... hang on, let me think this through....

We have been here before

[stox]

Is Peter the illegitimate son of Karl Denninger? We had the same story 15 years ago.

Re:We have been here before

[rs79]

Yeah the difference is, 15 years ago we had no compelling content. While people did switch in some small percent, and could see http://free.tibet/ or http://watch.gallery/ it was more of an experiment than anything else.

TBB and Wikileaks might be the compelling content to give it critical mass though. We'll see.

Discussions are already underway.

google root ? Apple root ? MS Root

Hhhmmm I can see good and bad on this one
I like the idea of making it more difficult to implement censorship but I have a feeling i may end up with and Apple Web and a Google Web and governments will like this in the long term I suspect

Let's fork the Internet

[Megahard]

People who talk about "the Internets" aren't clueless idiots after all, they're actually ahead of the rest of us.

Re:Let's fork the Internet

teh intarwebs?

Re:Let's fork the Internet

Don't worry - Comcast and Apple are already on it.

.

There already is one

[gman003]

OpenNIC. While it mirrors the ICANN addresses, it also adds several new TLDs (.oss, .geek, .parody, even .gopher) which can be easily used. This is but one of the many alternative DNS roots, but it's the most popular, and it's democratically-run.

Re:There already is one

[juliandemarchi]

I would like to encourage anyone interested in the alt-dns system like Peter, to join OpenNIC (http://www.opennicproject.org). It has great ideals, and is openly and democratically run. Anyone can join this great project and contribute to it. OpenNIC has been around since 2000, and is still going well!

Re:There already is one

[Darinbob]

What does "democratically run" mean? Every single user gets one vote, and all decisions now matter how trivial are voted upon? Or your vote depends upon how much you pay? Or you've got a core group of board members who vote?

Saying something is democratic is like saying nothing because the term is too broad. Usually when I hear someone say "it's more democratic" they really mean "it works closer to the way I want". Who's to say ICANN is not democratic? They've got board members who vote. Sure it's not as "democratic" as some would like but it certainly wasn't set up as a dictatorship or monarchy.

And the ICANN did not steal any domain; they took a directive from WIPO. The links in the summary above are very misleading and extremely one sided. Basically someone forgot to reregister IFPI.COM (probably some IT guy lost a job over it) and someone snagged it, then gave it (for free) to Pirate Bay. IFPI wanted it back and it was resolved by a WIPO ruling. The only problem is that it was not resolved the way that the anarchists wanted. No one in their right mind would think that the Pirate Bay acquired ifpi.com fairly and openly.

One thing that could be fixed is to lock down lapsed domain names for a period of time unless the original owner explicitly gives it up, thus preventing squatters from coming in.

Re:There already is one

[flyingfsck]

Yeah, one would think that a true geek like Peter would know about OpenNIC, or at the very least google before trying to start something new.

Re:There already is one

[juliandemarchi]

What does "democratically run" mean? Every single user gets one vote, and all decisions now matter how trivial are voted upon? Or your vote depends upon how much you pay? Or you've got a core group of board members who vote?

Democratically run in this instances, means that users who join the OpenNIC mailing list, have the power to vote if they wish on any issue. Anything done within OpenNIC, is first discussed with the members, then motioned for a vote. The down side is, things move slowly, but thats the price you pay to have such system. If a new user has an idea, they can start a discussion and have that diea voted on, then acted upon. Everyone has a voice.

Re:There already is one

[xnpu]

Which part of Guy A forgets to take it so Guy B walks away with it is not fair?

I forgot to renew a domain name myself, now some other guy owns it. It sucks balls and I wish I had the resources to get it back, but sure it's entirely my own fault.

Re:There already is one

[rs79]

"And the ICANN did not steal any domain"

They stole .biz from Leah Gallagos. Karl Denninger originally deployed it, then Leah took it over, then ICANN told somebody else to run and it accused Leah of "duplicating" it.

That's right, the person that came first was accused by ICANN of "duplicating" the "real one".

At the time they said "oh it was in an alteritive root, it doesn't count". But you'll note there are now 13 "ICANN sanctioned alternative roots" that acts as testbeds for international domains.

That is, some tlds are in alternbative roots before they go into the ICANN roots.

But these are ones that pay into the ICANN ecosystem.

Follow the money.

Look especially at the 990's of ISOC and PIR and ICANN. They're out there if you look.

So, basically a modern Alternic?

[jbeach]

Or at least, what Alternic was trying to do before Eugene Kashpureff hijacked the "mainstream" domain names to pass through Alternic, and split for Canada to try to beat the heat...

http://en.wikipedia.org/wiki/Alternic

Re:So, basically a modern Alternic?

[rs79]

That's not actually what happened. Eugene was working in Toronto at the time, but he's lost funding and went back to Oregon, got drunk and hijacked the Internic out of anger. When he realized what he'd done the next day he drove around going "oh shit oh shit" in the US for a while, then went back to Canada. He knew they'd get him, but he wasn't gonna make it painfully easy for them. He was picked up when he stepped out to smoke a bowl of hash on Queen st. They sort of ignored that. He spent the next few weeks (and xmas) in prison on Canada, then was extradited to the US, made a deal with the feds to explain how he did it to Mark Kosterrs of NSI so they could fix it, and got probation for, I think, a year. He went back to work for iname/name.com where he worked long enough to make a mil or so in stock then took off in a boat for a couple of years.

Goddamit I was trying to forget about those years. (shakes head) Eugene (rolls eyes)

Re:So, basically a modern Alternic?

[jbeach]

Took off in a boat for a couple of years? That's pretty awesome, at least in theory. I guess having a nice cash cushion would make that a lot easier.

I liked Alternic. I was sad to see them flame out like that. It really did preset the potential for a freer Internet, where yearly fees wouldn't be siphoned off for a limited number of top-level domains...the .sex domain also being a fine idea IMHO.

but sorry to bring back the memories....

Re:So, basically a modern Alternic?

[rs79]

Brian Reid once commented that the "the problem with the DNS mess is that all the players have such bizarre personalities" and Eugene was certainly no exception; he was both the best and the worst of it. He innovated, built the first alt root server network and got the message out there in a way nobody else did, but when he hijacked the internic the trust factor evaporated literally overnight and everybody switched back the next day. By "everybody" I mean ISPs and companies, a few individuals didn't. And it wouldn't have been so bad if this had just affected alternic, but it didn't, nobody trusted any alternative root ever again. He both created and killed that movement.

When it worked it worked and worked well and was so transparen to the user even the ICANN people used it and didn't even realize they were sending mail to "newdom@alter.nic" - it just worked.

Vixie went out of his way to kill it after that, his web proxy checked DNS, so even if you used your own dns servers and made a request of an IP address, if the web cache at your isp didn't agree with the DNS you got a 404, instead of a document from a website you already had an IP for.

This of course seldom comes up in "net neutrality" discussions; the NN folks think this is acceptible. It's not of course, it's hypocrisy. Everyone is big on NN except their special case/vested interest.

At last.

[unity100]

someone has hit the headlines with the idea. it was long time coming. tho there are stuff like opennic (actually im using their dns now). these need more traction.

Alternatives to the signed root

Well, most of us with half a brain _already_ don't trust ICANN at all. With the signed root, you really just need to push broken DS records to invalidate entire portions of the DNSSEC namespace. The UCSA (United Corporate States of America) is quite clear that it wants to retain control, AND wants to have a "kill switch".

Well, DNSSEC *IS* by design a kill switch. It has to be, in order to work. So, we have the ccTLD root keys manually locked into our resolvers, not just the signed root. There are ways against a root blackout, if the trust anchors for the ccTLDs are still valid. We assume the gTLDs will be offline anyway, because even good people like the ones behind ISC don't want to be shot in the head for treason.

Adding extra (signed!) namespaces is equally easy, you don't have to override the root. In fact, you do not WANT to override the root, running a root server is not something you can do without lots of preparation, and *real* DoS-shielded setups. A _simple_ root server takes: Two BGP routers (one does the forwarding, the other keeps the BGP prefix up with the next_hop of the forwarding router, to make sure any DoS does not migrate to the next node should this one go down), two hardware linespeed load balancers (gigabit ethernet at least), and four to six root servers. Add two hardware linespeed traffic scrubbers if you cannot just lose that root node to a DDoS.

The root server runs a specific software that only does autoritative DNS/NSEC1 *very fast*, and they don't contain much data, you need TLD node farms for that. Non-joke root servers (serving more than 10GB/s) are considerably larger (the same size as a TLD server farm). And the routing and traffic scrubbing hardware is damn expensive.

So, that's about US$ 100k per small anycast root node, and >US$ 1M for really large ones. And you need around 200 of those around the world if you want to do a proper job, latency to root servers has to be *low*. And a new TLD that is to be used for real would need a lot of the really large nodes.

So, you really want some sort of P2P DNSSEC, to switch from a centralized model to a distributed model. You will NOT be able to wrestle the TLDs from USCA control otherwise.

Good luck, it is a _hard_ problem.

Re:Alternatives to the signed root

[rs79]

no, not dnssec, dnscurve

We have no other choice

[unity100]

a p2p, encrypted, decentralized DNS system. this is what we need.

we also need to migrate all domain ownerships currently existing in icann registry to it though. else, smartasses or squatters will grab people's domains.

Re:We have no other choice

[juliandemarchi]

This is already in the works at; http://dot-p2p.org/index.php?title=Main_Page .p2p will soon be incorporated into OpenNIC.

Re:We have no other choice

[rs79]

This is already in the works at;

http://dot-p2p.org/index.php?title=Main_Page .p2p will soon be incorporated into OpenNIC.

^^No other post on this page matters. This is the one to pay attention to, folks.

God I hate twitter

[Gadget_Guy]

How stupid is it that the summary about the lost domain is double the length of the page that it links to (234 vs 117 characters)? I clicked the link to get more information, not less!

Back on topic, there is a price that you pay for a fairly unregulated domain name market, and that is the occasional stuff up as described here. I have had the opposite problem in the past, attempts to get a domain transfered have been held up despite the owner agreeing to the transfer. Admittedly, losing a name is far worse than the temporary hassles of delays in transferals.

Re:God I hate twitter

[Darinbob]

The stuff-up in this case is that Pirate Bay managed to acquire someone else's domain name in the first place.

Re:God I hate twitter

[BLKMGK]

That they failed to renew right? It wasn't stolen, it was up for grabs - yes?

Re:God I hate twitter

[rs79]

Exactly.

Yippee!

[MacGyver2210]

Every page on the web can now have its own Wikipedia-style disambiguation page!

Re:Yippee!

[slackbheep]

The real question is how many of these alternate options would be entirely populated by porn sites named after popular websites.
Facebook of Sex, indeed.

Someone make DNSLeaks.org!

1 - Save a history of DNS resolutions like Archive.org does for all important websites

2 - Wait for the government to censor

3 - Get loads of visitors to your site to get the last cached IP, while the site owner updates his site to redirect visitors to the new domain name

4 - Profit!

Non Profit

[retech]

So by a non profit organization they actually mean that when their bills are paid their salary just keeps increasing? This is just as much as scam as the single family owned and operated ISBN system. It's a wonder that anyone on this planet trusts a US based business anymore.

ICAAN is mostly lawyers

[snsh]

ICAAN started out as real geeks, then became a bunch of fake geeks, now is a bunch of lawyers, and is destined to become a bunch of business exectives until it finally becomes a bunch of ex-elected officials. That's how these organizations evolve once they become responsible for handling real power.

Re:ICAAN is mostly lawyers

[rs79]

You can't have been there. I was and I can tell you ICANN was a behind the scenes end run around the geeks by a bunch of corporate types and lawyers from the get-go.

How long . . .

[OverlordQ]

. . . till he gets bored of it and it disappears, and all the users are SOL?

slopsbox anyone?

Badly Broken, but Can't Be Fixed

[billstewart]

ICANN isn't in the Internet Protocol business, they're in the Intellectual Property business. It's about Trademark Control Protectionism, not Transmission Control Protocol. And the people who run the real root servers don't work for ICANN, but they do cooperate with them, and any attempts at alternate roots failed years ago, for reasons that aren't going to change.

Furthermore, if you want to start an alternate naming business, you can hang it off the existing DNS structure as myroot.someTLD so real people can find it, and then try convincing customers that they should buy theirname.yourTLD.myroot.someTLD from you because 0.0001% of the population can access it as theirname.yourTLD using your root. If you've got a spare couple hundred thousand dollars, write up a proposal to ICANN about why your project is cool enough and they might sell you your own real TLD, but the catch is that "competing with ICANN" isn't a business plan they're interested in, and
"selling names in a .sex TLD for Profit" is a plan that other people with far more money than you have already been trying to sell them on.

If you don't like that, you could try buying a country code TLD from some small country. Most of the good ones already realize their commercial value, and ICANN has been trying to bully all the CCTLD administrations for years, with some success, and a lot of random small countries end up deciding that they don't like the business plan you've spent big bucks promoting because they're Islamic Republics and they're shocked to discover that there's porn on the internet, though in some cases they can become less shocked for a sufficiently large cut of the profits. But maybe you'll think up a clever naming convention that you can sell to somebody; it can't be clunkier than bit.ly.

Re:Badly Broken, but Can't Be Fixed

[HelloKitty2]

Sad that people are even taking anything that Peter Sunde, or anyone that has anything to do with thepiratebay, as serious. It's simply a publicity stunt because they haven't been in the media for a while.

The internet belongs to the world...

[Camael]

...and it's running should not be subject to the whims of any organisation like IFPI or RIAA, nor the arbitrary laws of any country, even the US of A.

Do it, now.

OpenNIC

Instead of starting another alt-root DNS system, would it not be better to work cooperatively with an already heavily establish alt-root system, such as OpenNIC (http://opennicproject.org), they've proven previously that, unlike ICANN, they have a working democratic system to their DNS management!

Re:OpenNIC

[Ryaether]

I agree, it would be nice to see him work with OpenNIC. I imagine this could turn exciting with ICANN's abusive incentive and OpenNIC's potential.

Flashback

[Jrabbit05]

It'll fail like the buy sealand bit if they manage it the same way. Why duplicate efforts?

This is sort of a lousy article posting.

[Al+Dimond]

The link on the text "lost a domain" points to Mr. Sunde's Twitter feed, providing me with one sentence in his own words stating exactly what the summary did. That's pointless. The whole reason I'd click a link is to get more information about the situation described, preferably from a neutral source (or one that acknowledges its bias). Similarly, a link on the text "suspicious of ICANN for a long time" suggests a resource indicative of that long time, not one stupid tweet.

I actually sort of like Twitter, but you're using it wrong, /. blurb writers!

Re:This is sort of a lousy article posting.

[Vernes]

Investigative journalism dies a long time ago.
Even its bones have turned to dust.

All we have left is reality shows.

Create a new domain.com.unique

Create a new domain with .unique at the end for new root. Once you have something unique to reference by allow all people to create sub domain accounts under you, and then provide small dns driver updates for linux, mac and whatever else your favor.

I think its a great idea. Its hacker/admin dns that we can keep the noobies off of for a few years. Plus with the total control of our own DNS system, there's less for those in goverment to control who lean tward authoritarian government.

Read my lips: No New Namespaces

[Pete+McCann]

The way to do this is to start inside the existing namespace: get yourself a short 2nd-level domain and start signing people up underneath it. Decide on your own policies for who gets what sub-domains and delegate them out. I'd suggest making WHOIS privacy the default policy, but be sure to keep a chain of accountability so that you aren't providing a spam haven.

The fun starts when the Man comes to confiscate your 2nd-level domain. At that point, if you're big enough and enough people depend on the services resolvable under your domain, you need to do a PR campaign appealing directly to the resolver community and ask them to configure a special exception for your 2nd-level, pointing directly at your nameservers. Gets even more interesting with DNSSEC as they will need to add a DS record as well. You will need an alternative means to publish your KSK to the world. There are some interesting enhancements being proposed for the RPKI to allow this kind of sub-domain exception policy, but we need a few additions to DNS and DNSSEC to make it work smoothly.

I'm all for a new set of policies, but you've got to give props to the current root.

The Google Solution

[transporter_ii]

Google has already started testing alternative DNS servers, which I guess would operate somewhat like OpenDNS. What they need to do is start its own top level domain and offer DNS resolution to this domain.

Sites on this domain are indexed in with everything else, no special treatment. When someone searches and a result is displayed, clicking on mytorrent.goo resolves for people using google's DNS servers or puts an IP address in URL for those that aren't.

Possibly a browser plugin that would make everything transparent. Kind of like new.net...BUT WITHOUT THE FREAKING MALWARE.

New.net had a good idea if only they hadn't managed to come off looking like the Russian mafia attempting to install spyware on your computer. That and issuing competing top level domains such as .xxx

If google did this, but only with a good top level domain, I think they could pull it off. And good luck getting them to pull web sites without the proper authority to do it...

Heck, they might even could sell domain names for a fair price and people might actually buy them.

Re:The Google Solution

[LostCluster]

ICANN is a government-funded project... you have to ask where all competitors get their funding from.

Re:The Google Solution

[rs79]

ICANN isn't government funded. Never has been.

It was started with a loan floated by Jones Day arranged by Joe Sims. Jones Day has since made gazillions on legal fees. Since then it's been funded by... you. A portion of every domain name sold funds ICANN. Their oversight is NTIA/US Department of Commerce. Their oversight is the US Congress.

Re:The Google Solution

[kiddygrinder]

are you suggesting one source of funding is better than the other?

Re:The Google Solution

[TheRaven64]

Google has already started testing alternative DNS servers

'DNS server' is a horribly overloaded term. Google operates public a DNS cache, which performs recursive queries to return results. This is distinct from the authoritative servers, which define the domain name hierarchy.

What if google were to side step DNS all together?

[transporter_ii]

What if they offered a "top level domain name" and resolved only this domain with a browser plugin...and by IP address if the browser did not have the plugin?

It has gotten to the point that a lot of people do not type in URLs anymore anyway, they do a search and click on the first link. I despise this, but I have gotten so used to searching google that I sometimes do it without even thinking about it.

This would totally take the steam out of someone trying to swipe any names on this "domain," and the web site would still be available to a large percentage of the Internet.

If it were to take off, it would even give people more of a reason to visit google. They could advertise, "all of the Internet, and then some."

A cool TLD name, and people might even pay for a name on it.

BWAHAHAHAHA

[SteeldrivingJon]

"That is the only way that we can get a truly free internet."

You're high. Apparently you're thinking this organization would be made up of member states like "Rock Candy Mountain Land", "Santa's Republic of the North Pole" and "Stallmanistan".

Look at the freakin' UN:

The UN has removed a reference to sexual orientation from a resolution condemning arbitrary and unjustified executions.

The UN General Assembly resolution, which is renewed every two years, contained a reference opposing the execution of LBGT people in its 2008 version. But this year's version passed without any reference to gay rights after a group of mostly African and Asian countries, led by Mali and Morocco, voted to remove it.

Gay rights groups fear the move -- which passed in a narrow 79 to 70 vote -- will act as a signal that persecuting people for their sexual orientation is internationally acceptable

Complain all you want about the US, but the majority of nations in the world aren't particularly freedom-loving.

Re:BWAHAHAHAHA

[SuricouRaven]

I can imagine large companies breaking off puppet divisions purely so that they can qualify for a seperate seat, and then using this voteing power to decide that public-interest groups like the EFF don't have any real vested interest in internet governence.

Slashdot reported on IFPI domain being taken by PB

[hajus]

I remember reading about the PB taking over the domain name of the IFPI and putting a website in its place calling it the 'International Federation of Pirate Interests'. It was all done legit as far as I remember. If ICANN gave it back to the recording industry arbitrarily, then yeah, I can see Peter's point. ICANN should behave by the consistent rules on this rather than taking a single company's word "That was ours, but we forgot to renew the name." and take the domain from some new name owner.

Beware of ICANN and NUNAMES

Have no fath in ICANN, they are working for themselves and for their partners, more or less crooked ccTLDs like Nunames.

Nunames takes back and domain it wants, to keep for their own use or to resell on SEDO and put the profit in their own pockets.

Re:Beware of ICANN and NUNAMES

[Ash-Fox]

Have no fath in Anonymous Coward, they are working for themselves and for their partners, more or less crooked trolls like GNAA.

Zero-One-Infinity rule

Every heard of the Zero-One-Infinity rule (if not, JFGI)?

I'm not at all saying that this shouldn't happen... just that you should keep in mind that if you do create more roots, you will not be able to have exactly two. It will, varying over time, be somewhere between two and infinity.

Any problems that will deal with the conflict between the ICANN root and a second root must scale to an infinite number of roots.

I don't believe that it's an insoluble problem. I'm just sayin'.

create a .hosts file and prioritize above dns

[keneng]

It doesn't have to be a complicated system. Have a web server somewhere with a well-known static ip serving up SunDeNS hostnames and ip addresses.
Have some kind of script retrieving frequently requested hostnames and placing a local .hosts file.
Prioritze looking up the .hosts file before the regular DNS and voila SunDeNS is alive and coexisting with regular DNS.
By that I mean if the SunDeNS doesn't have the hostname requested, it will look into the regular dns for the hostname.

Re:create a .hosts file and prioritize above dns

[imakemusic]

What about if I register facebook.com (or better still some-online-bank.com) on SunDeNS and make a website that looks identical to the original? There wouldn't be any way to tell the difference other than by comparing IP addresses and somehow knowing which one is right, would there?

Com'on guys, just use ip addresses

[Rikiji7]

Feel free to send me an email at dontneednames@74.125.232.117

exactly

Please mod this up. There is nothing in RFC2826 that precludes the use of an aggregate root. However, for full distributed operation, the domain system must be modified (or each client must be configured to know all roots in existence, which is unmanageable). One solution is to use NXDOMAIN referrals, i.e. "I don't know, but ask x::y:z:w for more information".

Thats it! I don't need your internet

[Combatso]

I'm gonna start my own internet, with booze and hookers...

Actually, forget the booze.

Search engines + bookmarks = No DNS

[ElusiveJoe]

What if every site suggested its own name?

STEP 1: google what you need

STEP 2: follow the link (technically ip address, actually a site description, like "Best cooking recipes")

STEP3: bookmark it (the site suggests a name for the bookmark which you can override)

STEP4: PROFIT!

Don't replace the system, supliment it

[mrnick]

It should be:

STEP4: ?????
STEP5: PROFIT

This won't work, this is what DNS fixes. The problem is that sometime after bookmarking it the site's IP address changes and thus breaks the link.

Also, your solution moves from one central authority to another, from DNS to search engine.

I'd like to keep using the current system but supplement it with an alternate one. If you want to get to torrents, etc, use the alternate system. New TLDs, new DNS, new certificate authorities, etc. Let whoever wants to run search engines.

The big question is how do we keep the new system from being influenced like the current one has?

I2P counts as P2P because

[Burz]

it was built as a Tor-like network that supports P2P. So I wouldn't put Tor in the P2P category... they actually try to block torrents.

I2P has peer-to-peer features like bittorrent built in. Another interesting thing is the webserver you get, and the fact that even a home ISP subscriber gets a stable/unchanging address no different from any of the big nodes... I2P makes the IP address-changing problem go away.

Do you mean relay nodes or EXIT nodes?

[Burz]

I don't know why you would care about relay nodes.

Already being done

[Burz]

Tor and I2P have PK addresses (for their .onion and .i2p domains respectively). They work well with random address assignment because they are a layer on top of the regular Internet. That's no problem at least for I2P: you keep the same .i2p address even if your regular IP address keeps changing.

Non-transferable domains

The current system is designed to generate rent for those in control of the system. This is the main reason the domains can be lost.

I'd like to see a system where domains are **not transferrable**. Cyber squatting? Solved. DNS cencorship? Solved. Trade mark allegations? Solved. Personal domains for life? Solved.

simple solution...

[hitmark]

kill non-national TLDs, and have the root servers only list the ip-addresses for the various national-TLDs.

If USA then wants to kill some domain outside of .US, start talking to whatever nation runs that TLD.

In need of Netsukuku mass adoption

As long as something like ICANN its needed... the system its broken

Something like Netsukuku its needed: http://en.wikipedia.org/wiki/Netsukuku

Osiris forums and Retroshare IM are only partial solutions
http://en.wikipedia.org/wiki/Osiris_(Serverless_Portal_System)
http://retroshare.sourceforge.net/index.html