Slashdot Mirror
Why Any Competing Whois Registry Model Is Doomed
CowboyRobot writes "In Paul Vixie's latest essay, he argues that the alternative to the Whois registry model is flawed and that we should be learning from the mistakes of the history of proposed alternatives to the DNS. 'Any proposal for a competing Whois registry model is as doomed by design and destiny as every alternative DNS system. Even if it succeeds at first, it would fail after copycatting occurred.'"
Unless it is a distributed DNS without some Gov/Icann/Corporate model.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
is there really that big of a concern or is this just some essay for the sake of saying something and getting yet another "who?" name in a story
Paul and I have been disagreeing about this sort of thing for decades now.
OK, Vix: incorporate copycatting into the technical and economic model, then, instead of insisting that the current model is the only possible one. Solve a problem instead of institutionalizing it!
Think of where we'd be if we had insisted that DNS could never work, that we'd have to always use host tables, that the download capacity of the rs.internic.net system and the maximum file size of its filesystem was the limiting factor of the size of the internet.
Free your mind! We can distribute name services in more than one way - government & corporate bottlenecks and interceptions are not a 'feature', they are a bug.
A distributed domain name system exists. Right now. Today.
http://en.wikipedia.org/wiki/Namecoin
Here is the tl;dr version for the ones that won't read TFA:
You can't have a distributed system that creates an unique and arbitrary resource without cooperation between the peers. Without communication among them there will be duplication. People that think it is possible are fools.
Didn't Paul Vixie write cron? Well, if he did, then he has no credibility in my book, because cron is a flaming piece of shit.
Give me Microsoft Task Scheduler any day of the week, Paul Vixie.
"Vixie" doesn't even sound like his real name.
TinyUrl, another example of an internet phenomenon where great success breeds copycats, which breed confusion, which in turn breeds failure.
Why don't we begin with IID (International Identity) for every person living on this earth?
I propose to build a system called IIDS (International Identity System) for every person living on this earth. There are about 6 billion people living on this earth. If we use 37 alphanumeric (a,b,c,...,z,0,1,2,...,9,_), not case sensitive, we need 7 characters to cover 6 billion people. [377 is about 95 billion].
IID number is internationally unique. Let me start with my own IID : hantart, since my name is Hantarto Widjaja.
This IID can be used for very general purposes. And it'll be very useful for the future. IID treats and sets everybody equally as a person, no discriminations on race, religion, gender, nation, education level, income, age, social status, military or civil, etc. (no discrimination in all aspects).
Now, we have many identity numbers, such as our bank accounts no., student registration no., driving licence no., credit cards no., address, e-mail account, national ID no., telephone/fax/mobile phone no., etc. With IID, you just remember one thing, that is the IID. You don't need to know where someone is to call him/her.
To call someone, you do not need to dial numbers, you just dial hantart/phone. Also to e-mail me, you just type hantart/email. And other, such as hantart/fax, hantart/address, hantart/office_address, hantart/mobile_phone, hantart/homepage, etc. This idea can be extended not only to person, but also to institutions, companies, organizations, schools, universities, etc.
Let us popularize this IID system. In the future, you can communicate with everybody as easily as he/she is in front of you. The goal of this project is to connect every person in the world. People say two heads are better than one. Others say, if the thinking power of a head is ten, then thinking power of two heads is ten powered by two. And the internet is very good thing in bringing IIDS into reality.
Why whois when you already know who I is? hahaha.
Let's assume for the purposes of argument, however, that an alternative Whois system is created and enough network operators trust it that this alternative system becomes operationally relevant and that a non-RIR resource transfer regime becomes practical. Does anybody really believe that there would be only one alternative Whois system—no copycatting? Or as in the case of alternative DNS described earlier, would not the number of potential alternative Whois systems be limited only by available capital?
(emphasis added) Duplicate systems can contain differing information, and be trusted at different levels. People do this all the time. The author's unstated premise is that the goal is 'a definitive, trusted, answer' and not some variable level of trust (or confidence) in the answer. Think Encyclopedia Britannica; not Wikipedia.
Inevitably, however, the same network would appear to be registered to different operators in different Whois systems since freedom from transfer limitations is the stated reason for the very existence of the alternative systems.
Do we trust a top-down, hierarchical system controlled by a single entity more then a distributed system based on varying levels of trust? That question has been asked and answered on the internet and we all know how it plays out.
tomorrow who's gonna fuss
Rather than just sitting back and watch as ICANN allows the demands of money to corrode an essential function of the network DNS root operators can coordinate using their leverage to effect change to ICANN and its governance.
IP addresses of the root servers to bootstrap the entire system are configured in countless millions DNS servers. What is ICANN going to do send out a memo asking the entire network to please update their root list?
There are solutions to ICANN which do not involve fragmenting the system. All that is required is for the operators with power to effect change to coordinate to send a message which can not be ignored.
If your "alternative whois" is DESIGNED to balkanize the Interwebs then it will be a success by definition.
Totalitarian governments and companies or schools that want to make certain areas not only "off limits" but redirected to "their" version of the web site are no doubt doing this already.
Adware-driven bogus-dns setups likely do this as well.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Obligatory XKCD: http://xkcd.com/927/
It had to be said
No it didn't. Everything in the internet is designed to be distributed. There is no reason why you can't have multiple DNS trees. If one maps aaa.example.com to 192.168.0.1 and the other maps it to 192.222.0.1 nothing breaks. They are just different namespaces. Go ahead and yell and scream that every domain must map to one and only one IP but the truth is that it doesn't. The internet would still function, just differently then some people expect it to. Obviously if I want to follow a link on your web page then I need to follow it in your namespace, but that's an implementation detail.
ISPs already know that multiple namespaces don't break anything. Why do you think they're all cashing in on NXDOMAIN pages?
Many companies do split horizon DNS. Internal address lookups give different views than external ones, and sometimes the same domain has different addresses.
So if an alternate DNS shows up that returns the same results as the ICANN DNS except it doesn't block access to sites that the US Gov doesn't like, then what's the problem? And if it creates a new TLD and sells addresses for half the cost of the .com addresses, what's the problem with that? People using the legacy DNS won't see the blocked addresses or the new addresses, but nothing bad happens to them.
I have long held that competing DNS root systems *can* work - and in fact have been working for long time.
The issue is not whether there is one singular catholic DNS root, but rather the degree of consistency between competing roots.
We all accept that internet users dislike surprise - they will not like any DNS root that give surprising (or misleading or fraudulent answers). That's why any DNS root that gives surprising DNS answers will quickly be shunned.
What is intriguing about competing DNS roots is that they provide a way around ICANN and around ICANN's choices - and ICANN's fees and ICANN's trademark-over-everything-else policies.
I wrote a note on this topic some years ago - "What would the internet be like had there been no ICANN?" at http://www.cavebear.com/cbblog-archives/000331.html
I don't think many people are getting the point of this article, although I admit it is a bit confusing. While it is true that the article talks about alternative DNS systems and WHOIS; what Paul really seems concerned about is the part of the WHOIS system used to look up who is currently allowed to use a given IP address range, and is responsible for activity originating from it.
The current authorities which run this part of the WHOIS system have rules and restrictions about how and why IP address blocks on the Internet can be assigned from one party to another. Among the things cited by the article which currently are not permitted are obtaining IP address for perceived future needs when you have not already exhausted what you have, or simply buying IP addresses for no use at all speculating they can be sold for more money later.
Some parties do not like these rules, and want to establish their own system for buying and selling IP addresses which is not subject to the rules currently in place. They could kind-of do this right now, but the transfer of ownership would not be recorded in the old system.
This is potentially a bad thing, as suppose someone attacks you from IP address 1.2.3.4. And for some reason, reverse DNS on that IP address fails to work. If there is more than one system tracking ownership of who currently has the right to use this IP address, how do you find the right administrator to contact? And what if someone updated their contact information or the fact the IP block had been sold in one system, but forgot to do so in another?
get your hosts files now
haha mpaa suckers
I'll be amused to see your business model and your adoption rate, and your plan for making it useful for some people before convincing everybody in the world to adopt it, and your plan for dealing with privacy and spam and identity theft and spam and with people who have multiple email addresses and multiple phones and one-use email addresses to avoid spammers, and ....
And if you do manage to sell any significant number of users on wanting it, somebody's quickly going to decide to create the domain iids.com, so you'd get the domain name hantart.iids.com and user abc1234 will get the domain name abc1234.iids.com, and now you're back inside DNS.
Meanwhile, if you're giving out names, I'm Number6.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Yes, it did have to be said. That's what top-down hierarchical naming systems are for, and why they work, in spite of early arguments like Pike&Weinberger's The Hideous Name article on Plan9's locally-based namespace, and Peter Honeyman's pathalias work that made uucp bang-paths much more scalable back when we used those, and my general anarchist ranting about not wanting to let some bunch of bureaucrats decide what I'm going to call my computers. ISPs do mostly know that multiple namespaces break things - that's why NXDOMAIN pages only get used when there's No Such Domain, and the ISPs who do that usually implement it in a way that breaks applications other than http-port-80 and maybe smtp-port-25 and they don't care.
Another reason that you can't have multiple DNS trees is that DNS contains a mechanism for fixing that - if you've got your DNS tree with aaa.example.com and Eugene has his aaa.example.com, you can both be replaced by a very small shell script that turns yours into aaa.example.com.smallpond.altroots.net and his into aaa.example.com.kashpureff.altroots.net, and suddenly you've been assimilated and there's just one namespace again.
Users want namespaces that point them to the correct place, so that somebody can say "I'm at thisdomain.com" and anybody in the world can use it, and "users" includes both the owners of the name and people using that name to retrieve content. Otherwise we need to use namespace assimilation (if we want to keep DNS syntax) or start bang-pathing everything (if we'd rather use mixed syntaxes.)
None of that means that the DNS Root should be owned by ICANN, who are a conspiracy of lizard-like aliens here to steal our water and almost totally under the control of the Trademark Gods, but breaking that requires you to defeat them all in single combat. Good luck with that (and I say that in all sincerity, but you aren't going to succeed, because they've got way more money and clout than you're going to have.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
There's certainly room in the Marketplace of Ideas for namespaces that work in ways other than hierarchies controlled by the Trademark Gods. Also, DNS is both a namespace and a delivery system for that namespace runnning on a distributed set of name servers - it's possible to run the delivery system of DNS in many different ways, and in fact we've seen a transition of most of the upper levels from conventionally-routed IP to anycast, and a wide range of different kinds of servers people use for their subdomains.
But DNS can still assimilate those namespaces into subdomains, so you end up with example.com.torrentfreak.com and 432423542345652423423deadbeef32142.namecoin.com and so on.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
None of that means that the DNS Root should be owned by ICANN, who are a conspiracy of lizard-like aliens here to steal our water and almost totally under the control of the Trademark Gods, but breaking that requires you to defeat them all in single combat. Good luck with that (and I say that in all sincerity, but you aren't going to succeed, because they've got way more money and clout than you're going to have.)
Does the arena contain saltpeter, coal, bamboo, and diamonds? Do I have to tear my shirt open?
This is potentially a bad thing, as suppose someone attacks you from IP address 1.2.3.4. And for some reason, reverse DNS on that IP address fails to work. If there is more than one system tracking ownership of who currently has the right to use this IP address, how do you find the right administrator to contact? And what if someone updated their contact information or the fact the IP block had been sold in one system, but forgot to do so in another?
There is another layer that is not discussed in TFA that uses whois and routing announcements to help verify routing. Routing databases like RADB are required by most BGP transit providers and all peering exchanges will use something like peerdb.com to help track their members too. The transit providers like to know where to send the bill for the bandwidth used by an IP block and peering exchanges like to enforce their rules. IP blocks are assigned to people and companies that can change locations and providers. In the attack scenario if a PRT record for the IP was not found, search for the nameserver of the reverse zone, if that is missing do a traceroute and pick the previous hop to report to the IP's provider. All Datacenter/network providers have a no abuse/spam clause in their contracts where they can disable/terminate service.
The reality is that no one can buy an IP address. They are all leased from the RIRs and IANA. The RIRs can ask for the IPs back at anytime.
BTW 192.0.2.0/24 is the IP block for examples..
will be supplanted by something else and he fears this more than anything else? Think about it.
From such a well respected author, the suggestion that some competition should be classed as arrogance comes as a surprise to say the least. The world is no longer a Pangaea; it fragmented a long time ago. The one stop shop Pangaea has become a group of competing countries all with various agenda, all contactable using the same telephone numbers, but of course via different country codes. The DNS is following the same path. Competition is to be expected, yet the aim is not always to smash the opponent. Sometimes it’s there to add intrinsic value (whether or not the other side chooses to see it that way). With the DNS for example, as well as Dotcoms, there are now Dashcoms. Yes, success breeds copycats. It has also been known to breed evolution, innovation and improvement.
Another reason that you can't have multiple DNS trees is that DNS contains a mechanism for fixing that - if you've got your DNS tree with aaa.example.com and Eugene has his aaa.example.com, you can both be replaced by a very small shell script that turns yours into aaa.example.com.smallpond.altroots.net and his into aaa.example.com.kashpureff.altroots.net, and suddenly you've been assimilated and there's just one namespace again.
This isn't a mechanism for "fixing" anything. It is a mechanism for demonstrating exactly what I said, that multiple DNS trees can coexist on the internet.
Users want namespaces that point them to the correct place, so that somebody can say "I'm at thisdomain.com" and anybody in the world can use it, and "users" includes both the owners of the name and people using that name to retrieve content.
The correct place? You've drunk the kool-aid. Maybe you also buy star names from the International Star Registry. Of course if I want anyone in the world to connect to my domain using the "One, True, Correct, Canonical Name" then that name has to be in every nameserver. Now please tell me how I get to the domains that have been pulled out of the ICANN database by the US government, even though they are registered and reside in other countries?
Otherwise we need to use namespace assimilation (if we want to keep DNS syntax) or start bang-pathing everything (if we'd rather use mixed syntaxes.)
None of that means that the DNS Root should be owned by ICANN, who are a conspiracy of lizard-like aliens here to steal our water and almost totally under the control of the Trademark Gods, but breaking that requires you to defeat them all in single combat. Good luck with that (and I say that in all sincerity, but you aren't going to succeed, because they've got way more money and clout than you're going to have.)
It does not require defeating them in single combat. I could walk around them through the alternate root door. However they are closing that off by pushing DNSSEC so that they can have absolute control of DNS.
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
FROM http://tech.slashdot.org/comments.pl?sid=1907528&cid=34532122
Now?
20++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added layered security:
1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).
2.) Bad news: ADBLOCK CAN BE DETECTED FOR: See here on that note -> http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars
HOSTS files are NOT BLOCKABLE by websites, as was tried on users by ARSTECHNICA (and it worked, proving HOSTS files are a better solution for this because they cannot be blocked & detected for, in that manner), to that websites' users' dismay:
PERTINENT QUOTE/EXCERPT FROM ARSTECHNICA THEMSELVES:
----
An experiment gone wrong - By Ken Fisher | Last updated March 6, 2010 11:11 AM
http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars
"Starting late Friday afternoon we conducted a 12 hour experiment to see if it would be possible to simply make content disappear for visitors who were using a very popular ad blocking tool. Technologically, it was a success in that it worked. Ad blockers, and only ad blockers, couldn't see our content."
and
"Our experiment is over, and we're glad we did it because it led to us learning that we needed to communicate our point of view every once in a while. Sure, some people told us we deserved to die in a fire. But that's the Internet!"
Thus, as you can see? Well - THAT all "went over like a lead balloon" with their users in other words, because Arstechnica was forced to change it back to the old way where ADBLOCK still could work to do its job (REDDIT however, has not, for example). However/Again - this is proof that HOSTS files can still do the job, blocking potentially malscripted ads (or ads in general because they slow you down) vs. adblockers like ADBLOCK!
----
3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.
4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 4-7 next below).
5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via NSLOOKUP, PINGS, &/or WHOIS though, regularly, so you have the correct IP & it's current)).
6.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs