Slashdot Mirror
Peter Sunde Wants To Create Alternative To ICANN
An anonymous reader writes "According to Peter Sunde's Twitter feed, he has been suspicious of ICANN for a long time. The non-profit corporation is tasked with managing both the IPv4 and IPv6 address spaces as well as handling the management of top-level domain name space including the operation of root nameservers. Sunde has lost a domain in the past because of the way ICANN acted. It was taken without any consultation on their part, instead the organization relied on information from recording industry group IFPI to change the domain ownership. But it seems for some reason his frustration has come to a head recently, and he has put a call out for help to create a competing root server."
An alternative name registry service would do wonders to cripple the whole "internet censorship" bandwagon that has been going on recently. Blacklists? Rendered at the very least 2X as difficult to implement on a national scale, simply because the clients you are attempting to prevent from accessing content can reach that content by using the alternate name resolution service.
It would make measures like the Australian blacklist falderall all that much more difficult to actually pull off, and would render efforts like COICA similarly difficult.
Do it. Do it now.
No more of this Pansy DNS crap. Know your IP address like you know your phone number. Cut these clowns off at the legs. Free the net to the people who know how to use it and won't download viruses to their own computers thinking it's antivirus software... Take charge by taking responsibility from those who don't care and don't know!
It's the same part of me that, were I holding a cigarette lighter and a stick of dynamite, would be tempted to light the stick and throw it like they do in the movies, just to see what an exploding stick of dynamite really looks like. There's been so much greed and stupidity around the DNS, and it would be so *feasible* for someone to set up an independent alternative, I'd sort of like to see what it would look like when the existing system is blown to kingdom come.
However -- were I ever to be holding an actual stick of dynamite in my hands, the part of me that tends to say things like "this is not the optimum time to make an impulsive decision" would become quite strident. It's not that I would never, under any circumstance light a stick of dynamite and throw it. It's just that it being a really cool idea wouldn't be enough to make me try it until I'd thought through the consequences very, very carefully.
And as it stands, the DNS system does me more good than it has ever harmed me, and likewise for the vast majority of people who use it. It might be that giving *serious consideration* to a competitive system would do a lot of good, but a competition between two systems in which both survived would almost certainly be a bad thing.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Hard it may be, but it has been solved, and all the necessary protocols and software exist to implement the solution. All you need is an alternative organization and the ability to convince the people you are interested in convincing to use the new servers.
As for the policy challenges you mention, Mr. Sunde doesn't *like* the way ICANN solved those problems. In fact he detests it so much he's willing (or thinks he's willing) to chuck the policy and organization that controls it out the window. Or perhaps he'll figure out a way to use his preferred servers and fall back to ICANN's DNS.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
OpenNIC. While it mirrors the ICANN addresses, it also adds several new TLDs (.oss, .geek, .parody, even .gopher) which can be easily used. This is but one of the many alternative DNS roots, but it's the most popular, and it's democratically-run.
Well, most of us with half a brain _already_ don't trust ICANN at all. With the signed root, you really just need to push broken DS records to invalidate entire portions of the DNSSEC namespace. The UCSA (United Corporate States of America) is quite clear that it wants to retain control, AND wants to have a "kill switch".
Well, DNSSEC *IS* by design a kill switch. It has to be, in order to work. So, we have the ccTLD root keys manually locked into our resolvers, not just the signed root. There are ways against a root blackout, if the trust anchors for the ccTLDs are still valid. We assume the gTLDs will be offline anyway, because even good people like the ones behind ISC don't want to be shot in the head for treason.
Adding extra (signed!) namespaces is equally easy, you don't have to override the root. In fact, you do not WANT to override the root, running a root server is not something you can do without lots of preparation, and *real* DoS-shielded setups. A _simple_ root server takes: Two BGP routers (one does the forwarding, the other keeps the BGP prefix up with the next_hop of the forwarding router, to make sure any DoS does not migrate to the next node should this one go down), two hardware linespeed load balancers (gigabit ethernet at least), and four to six root servers. Add two hardware linespeed traffic scrubbers if you cannot just lose that root node to a DDoS.
The root server runs a specific software that only does autoritative DNS/NSEC1 *very fast*, and they don't contain much data, you need TLD node farms for that. Non-joke root servers (serving more than 10GB/s) are considerably larger (the same size as a TLD server farm). And the routing and traffic scrubbing hardware is damn expensive.
So, that's about US$ 100k per small anycast root node, and >US$ 1M for really large ones. And you need around 200 of those around the world if you want to do a proper job, latency to root servers has to be *low*. And a new TLD that is to be used for real would need a lot of the really large nodes.
So, you really want some sort of P2P DNSSEC, to switch from a centralized model to a distributed model. You will NOT be able to wrestle the TLDs from USCA control otherwise.
Good luck, it is a _hard_ problem.
Why continue with the concept of name ownership at all? It should be technically impossible to own a name, in the same way that it should be impossible to monopolize ideas.
Let people and entities use whatever name they want; the remaining problem is to verify that you are talking to the right host, but you should need to do that anyway. Invariably, any sort of central authority can and will be subverted. What is necessary is some other means of conveying trust, wether that is a web of trust, or some other out of band option.
This is what I believe we should strive for. The distributed naming system and trust system are orthogonal problems, but need to integrate in a convenient way. So, it is still a hard problem, just not in the same way.
So by a non profit organization they actually mean that when their bills are paid their salary just keeps increasing? This is just as much as scam as the single family owned and operated ISBN system. It's a wonder that anyone on this planet trusts a US based business anymore.
The model underlying Bitcoin may provide a solution. Basically do the same thing, but with domains instead of virtual coins. The peers self-regulate the work required to solve the next block such that a fixed number of blocks (domains) are allocated per unit time; the allocation would be "first come first served", but there would be no possibility of mass registration. Once a name is allocated it can be updated at-will by the one holding its private key, or transferred to another user. Updates and transfers would take the place of Bitcoin's transactions, and be included as part of the next block.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
If redirecting NXDOMAIN to partnered search results pages and killing a bunch of anti-spam scripts
You mean an anti-spam technique (of fairly limited effectiveness) of reverse path validation, through making extra domain lookups for the forward DNS hostname of the Return Envelope, not called for by the SMTP RFCs, which also place extra (unwanted) load on DNS servers?
Please don't confuse ICANN with Network Solutions / Verisign (Sitefinder). By the way, the SiteFinder Fiasco you refer to ended when ICANN was going to file a lawsuit Network Solutions over "sitefinder" and reached a settlement. Settlement: ICANN agreed to discontinue the sitefinder service / stop wildcard resolving immediately, and will seek permission under ICANN rules before introducing any new service such as that. .COM / .NET TLDs was changed so ICANN guarantees to renew the contract perpetually at the end of every contract term (Unless there is a proven breach),
AND, also, the settlement gave Network Solutions a right to increase prices 7%
every 4 out of the 6 years of every contract term after 2007, with no justification.
But, in Exchange, as part of this settlement, NSol's contract to be operator for the
NSol can increase prices in 6 out of 6 years, if a cost justification is given in 2 of those years.
Note that back in 2007, .NET and .COM prices were capped by the registry at $6.
Today they are approximately $8. Domain prices per-domain are getting more expensive,
and the stated justification is "higher volume of DNS queries", what do you think about that?
So the whole 'sitefinder thing' was a win win win for Network solutions, because ICANN essentially got themselves a free perpetual contract, which ICANN justifies on the basis of "A perpetual contract provides greater stability for the Internet"; neverminding the fact the contract becomes less favorable for the community every year NSol chooses to raise prices.
Still... things are "stable", and doesn't matter that much that NSol got rewarded for their attempted sitefinder moneygrab does it?
endorsing ridiculously stupid shit like .eco, .xxx, .jobs and .tel happen
Apparently it wasn't that 'stupid'... I mean, someone had to pay $50,000 just to apply, and put significant capital down to have a registry that would meet ICANN's minimal technical standards for a stable registry. The letters in the TLD are just one factor; the decision to 'add a TLD' or not are almost all about the technical aspects of a proposed TLD and how many sites and domain registrars are interested in the TLD.
complying with a Department of Homeland Security request to remove a bunch of domains that contained material that infringes copyright should be the nail in the coffin for the useless stuffed shirts at ICANN.
ICANN just defines the rules and contracts the registry services, I believe you are again blaming ICANN for an individual registrar and US government thing
ICANN is really a perfect example of where a bunch of wise-beard Unix hacker types could do a better job than the corporate whores currently doing it could. Or better yet, a proper distributed alternative to DNS.
Now there's something we can agree on. Unix hacker types could do better, if only they could get the financing, and backing from the corporate types.
It would probably be good enough though to have an association serving a different group of corporate whores.... for example, ISPs instead of the WIPO, RIAA, registrar, pro-squatter , and pro-advertising/pro-marketing folks.
after Zooko: names can be secure, memorable, or global - pick two. DNS is memorable and global but not secure. Public keys are secure and global but not memorable.
...and it's running should not be subject to the whims of any organisation like IFPI or RIAA, nor the arbitrary laws of any country, even the US of A.
Do it, now.
Absolutely. What needs to be done, and this will only be accomplished with enough international pressure, is to take control away from the US government. ICANN or no ICANN, the one in control is the US government.
Don't come with the "DARPA in the 60's" argument. It's not about what the net was 20 years ago, or 10 years ago, it's about what it's now: A worldwide network. That means it shouldn't be governed by a single country. We need to create a new council that will manage the internet:
It'll be an international council, with the following governing body:
- An official representative from each member country.
- A representative from each software/hardware development that plays a major role in the net. For example, the ISC (BIND, DHCPD), The Mozilla Fundation (Firefox), CISCO, etc. would get representatives.
- Other organizations and major players that are active participants of this thing we call the internet. For example, the IEEE, The Free Software Fundation, the EFF, Intel, Apple, Microsoft, etc. would get representatives.
None of this entities would get more than one representative even if they qualified on more than one category, and each representative gets one vote, and all votes count equally. We should also try to keep the amount of member from each category sort of equal, so, considering ~190 countries, we should get 190 from the other two categories, for a grand total of ~600 members.
This entity would operate under its own constitution, and act as a democracy. The technical infrastructure would be absolutely distributed around the world, with enough redundancy and no central authority.
That is the only way that we can get a truly free internet.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
In case you don't know, the root zone is a text file that is only a little over 200 kB. It has only a handful (relatively speaking) of domains. The official root zone is published, and you could set up your own DNS server that serves it. [1]
The important servers are the gtld zone servers. Those are the ones with millions of domains. They are the ones that the federal government is meddling with. They handle insane volumes of traffic [2]. To the best of my knowledge the gTLD zone files are not publicly published, meaning that it would not be possible to set up an alternative version of it like you seem to be proposing.
Footnotes:
[1] Granted, you would need to set up your recursive DNS resolver to use your root server, but that is easy enough to do. Even DNSsec would work fine in such, since DNSsec only authenticates the response, and does not care who sent it.
[2] Thankfully the DNS system has caching, or it would be cost prohibitive to continue to run the GTLD servers.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
No, that would give each individual government more control over its citizens. Giving them that power would quickly turn the internet everywhere into what it is right now in China.
Governments can't be individually trusted, and localized versions of the internet are a bad idea, against the very definition of the internet.
That's why in the scheme I propose, all countries together are only 30% of the votes. I am a wise-bearded Unix geek, and I still don't agree with turning control over to wise-bearded Unix geeks. We can be real assholes too :). No group of people can be fully trusted to make choices for all of us, that's why we need different groups with different interests to keep each other in line.
The chances that several governments, or several companies, or several software developers cooperate with each other to do something evil are very high. That's why we see things like the ACTA being passed by politicians from different countries, while 90% of the public disagrees.
Now, the chances of seeing the Free Software Fundation, CISCO, the US, Switzerland, Venezuela and the ISC cooperating to pass some terrible legislation is virtually nonexistent.
WTF am I doing replying to an AC at 5 A.M on a Friday night?