Why Any Competing Whois Registry Model Is Doomed

CowboyRobot writes "In Paul Vixie's latest essay, he argues that the alternative to the Whois registry model is flawed and that we should be learning from the mistakes of the history of proposed alternatives to the DNS. 'Any proposal for a competing Whois registry model is as doomed by design and destiny as every alternative DNS system. Even if it succeeds at first, it would fail after copycatting occurred.'"

Vixie is wrong.

Paul and I have been disagreeing about this sort of thing for decades now.

I cannot think of a single supporting example; success breeds copycats, in all times and all places.

OK, Vix: incorporate copycatting into the technical and economic model, then, instead of insisting that the current model is the only possible one. Solve a problem instead of institutionalizing it!

Think of where we'd be if we had insisted that DNS could never work, that we'd have to always use host tables, that the download capacity of the rs.internic.net system and the maximum file size of its filesystem was the limiting factor of the size of the internet.

Free your mind! We can distribute name services in more than one way - government & corporate bottlenecks and interceptions are not a 'feature', they are a bug.

Re:Vixie is wrong.

[bzipitidoo]

I didn't find the article convincing either. Many assertions, few pieces of evidence. May as well argue that assigning driver license numbers to people can't possibly work unless a single controlling assigner keeps order.

Seems there's a lot of dogma in the thinking of how the Internet should be managed. For instance, we could make another Internet. Instantly double the number of IPv4 addresses, since every address could be used twice. We could find some bit somewhere that we can use to distinguish them, allowing communication between the 2 Internets. Does such a proposition sound like heresy? And if we could do that, why not use a whole byte, and make 256 Internets? Or, as another example, a scheme to provide infinitely many addresses is easy. Sure, IPv6 has a huge space, but it isn't infinite and I expect that we will find so many uses we will run out sooner than anyone believes possible. Wouldn't surprise me if IPv6 doesn't even make it to 2100. A very simple way is the way C handles strings. Reserve '0' to mean the end of an IP address (what a waste reserving that for broadcasting), then we could have 192.168.1.2.3.4.5.1. ... .0. But we didn't do it because we're so stuck on the notion that packet headers have to be fixed sizes.

We are being sold "address space" as THE reason to move to IPv6, and the other reasons are so seldom mentioned one should be excused for wondering why not just make a simple modification to IPv4? IPv6 allows much larger packets, and has a simpler, more streamlined header. A pity it has such a clunky human interface. I'm really not looking forward to changing from "ping 192.168.1.1" to something like "ping ff80:1::10a0:b1aa:b1aa".

Namecoin

A distributed domain name system exists. Right now. Today.

http://en.wikipedia.org/wiki/Namecoin

td;dr: Unique, abitrary and distributed

[vivaoporto]

Here is the tl;dr version for the ones that won't read TFA:

You can't have a distributed system that creates an unique and arbitrary resource without cooperation between the peers. Without communication among them there will be duplication. People that think it is possible are fools.

Re:Vixie Cron

[eln]

He also wrote BIND, which had one of the most breathtakingly awful security records of any single piece of software for many years (the years during which he was the primary author, oddly enough). For a while there, it seemed CERT was issuing advisories for some new vulnerability in BIND that would grant root access to your entire network on a daily basis.

Re:I dont follow

[eln]

It's not that big of a concern, and that's the real reason any alternate DNS system is doomed to fail. Vixie's concerns with copycatting and whatnot may be justified, but the simple fact is the current system isn't painful enough for most people, even most network admins, to go to the trouble to switch to something different. Hell, IPv6 has been a standard for 15 years, and hardly anyone uses it. Sure, we'll all switch eventually when the pain of staying with IPv4 is greater than the pain of switching to IPv6. Similarly, if the pain of staying with the current whois system ever gets great enough to contemplate switching, people will do so. I don't see that happening in the foreseeable future, though.

Re:I dont follow

[bill_mcgonigle]

Hell, IPv6 has been a standard for 15 years, and hardly anyone uses it.

But we can't deploy standards, only implementations.

Windows 7, OSX Lion, and Fedora 16 will all handle IPv6 properly. Previous versions all have certain problems that need workarounds, and it's probably not worthwhile for most users if there are corner cases to worry about. And if you're not on an expensive commercial Internet pipe, you can't even get IPv6, except in limited trial locations for the big ISP's.

When Windows 7 is where Windows XP is now, people will move over. But, hey, we've reached a real milestone where now it's all possible, so, yay 2011.

Re:There can be only one

[Smallpond]

It had to be said

No it didn't. Everything in the internet is designed to be distributed. There is no reason why you can't have multiple DNS trees. If one maps aaa.example.com to 192.168.0.1 and the other maps it to 192.222.0.1 nothing breaks. They are just different namespaces. Go ahead and yell and scream that every domain must map to one and only one IP but the truth is that it doesn't. The internet would still function, just differently then some people expect it to. Obviously if I want to follow a link on your web page then I need to follow it in your namespace, but that's an implementation detail.

ISPs already know that multiple namespaces don't break anything. Why do you think they're all cashing in on NXDOMAIN pages?

Many companies do split horizon DNS. Internal address lookups give different views than external ones, and sometimes the same domain has different addresses.

So if an alternate DNS shows up that returns the same results as the ICANN DNS except it doesn't block access to sites that the US Gov doesn't like, then what's the problem? And if it creates a new TLD and sells addresses for half the cost of the .com addresses, what's the problem with that? People using the legacy DNS won't see the blocked addresses or the new addresses, but nothing bad happens to them.

Article is about IP Address sales, not DNS/WHOIS

[Cerlyn]

I don't think many people are getting the point of this article, although I admit it is a bit confusing. While it is true that the article talks about alternative DNS systems and WHOIS; what Paul really seems concerned about is the part of the WHOIS system used to look up who is currently allowed to use a given IP address range, and is responsible for activity originating from it.

The current authorities which run this part of the WHOIS system have rules and restrictions about how and why IP address blocks on the Internet can be assigned from one party to another. Among the things cited by the article which currently are not permitted are obtaining IP address for perceived future needs when you have not already exhausted what you have, or simply buying IP addresses for no use at all speculating they can be sold for more money later.

Some parties do not like these rules, and want to establish their own system for buying and selling IP addresses which is not subject to the rules currently in place. They could kind-of do this right now, but the transfer of ownership would not be recorded in the old system.

This is potentially a bad thing, as suppose someone attacks you from IP address 1.2.3.4. And for some reason, reverse DNS on that IP address fails to work. If there is more than one system tracking ownership of who currently has the right to use this IP address, how do you find the right administrator to contact? And what if someone updated their contact information or the fact the IP block had been sold in one system, but forgot to do so in another?

Re:Article is about IP Address sales, not DNS/WHOI

[wrmine]

This is potentially a bad thing, as suppose someone attacks you from IP address 1.2.3.4. And for some reason, reverse DNS on that IP address fails to work. If there is more than one system tracking ownership of who currently has the right to use this IP address, how do you find the right administrator to contact? And what if someone updated their contact information or the fact the IP block had been sold in one system, but forgot to do so in another?

There is another layer that is not discussed in TFA that uses whois and routing announcements to help verify routing. Routing databases like RADB are required by most BGP transit providers and all peering exchanges will use something like peerdb.com to help track their members too. The transit providers like to know where to send the bill for the bandwidth used by an IP block and peering exchanges like to enforce their rules. IP blocks are assigned to people and companies that can change locations and providers. In the attack scenario if a PRT record for the IP was not found, search for the nameserver of the reverse zone, if that is missing do a traceroute and pick the previous hop to report to the IP's provider. All Datacenter/network providers have a no abuse/spam clause in their contracts where they can disable/terminate service.

The reality is that no one can buy an IP address. They are all leased from the RIRs and IANA. The RIRs can ask for the IPs back at anytime.
BTW 192.0.2.0/24 is the IP block for examples..