But they all (intentionally, and by design) respond with the *same* *data*. The fact that there are 13 of them doesn't change the fact that there is only one root *zone*. What's being proposed is having different root zones, and so the assumption that the different roots will answer with the same information goes out the window.
If you're just going to mirror ICANN's root, why bother? (And why would ICANN or anyone tell you what the blacklisted domains are? They'll just drop them from the list of registered domains.)
DNSSec, won't solve the multiple-root problem, though. If each root has a separate trust entry point, and the sub-entries are correctly signed, you won't be able to tell which one's accurate, just that the answers are verified by the root. You'll still be left with very confused users.
This happens today with SSL, it's just harder to see: if two different SSL registries issue certs for "google.com", which one's right? If you trust both of them, then the answer is "both." The same will be true for the multiple DNS roots if they use DNSSec: you'll be able to tell for certain that the answer is correct from the point of the root, but which root is *right* will be far less clear.
Skip the government part (though, honestly, I see no reason why they'll operate the way you think they will)...what about businesses? For example: Apple.com. There are several companies that can claim honest ownership of the "apple" name as a business title (apple computers, apple records, etc). If each of them buys the apple.com name in a different root, which one's "right"? All of them have reason to argue they are...do you expect users to have to surf to all of them one by one to find the "right" apple.com? Seriously? So now the users have to know about all possible DNS roots? yuk.
You seem to be assuming that the DNS with multiple roots will have very few name collisions except for government-caused ones...I don't think that's a safe assumption at all.
Messy. Question: which root do you ask for google.com? All of them? What if they reply with different addresses...which one's right? The fact that there aren't good answers to these questions is a big part of why we've tried to avoid splitting the DNS roots.
That's not the point...the update requests you get from the "selected" ones: how do you know those are right? You don't. You're choosing to trust that select few. In this case, also, F, I, and J.root-servers.net are anycast...meaning that the IP you're trusting actually appears in multiple places at the same time, one of which is in China.
Better question: How do you know that the i.root-servers.net system that you're talking to is not the one in China?
IBM isn't interested in the technology, they're interested in the customers of that technology. IISI didn't have locked-in customers like the CIA, Netezza did.
Spoken like someone who's never had to deal with an abusive, insulting, arrogant jerk on their team. One destructive person can ruin the productivity of a half dozen people really quickly. Like it or not, how you work with other people matters.
It was targeted to be hierarchical as of 1999 (when that presentation was made). That has since been abandoned, and it's now somewhat more free-form the way IPv4 is. To my understanding, there are no restrictions on region or organization as to where IPv6 can be announced, and the criteria for IPv6 Provider-Independent IP space are identical to the ones for IPv4 space.
ARIN is neither the cause, nor the solution. ARIN is a community organization, so their policies are only what the greater ARIN community (ie, the present IP space users) ask for. Until the ARIN community asks for market-cost based allocation, ARIN won't do it. The converse is also true: the reason ARIN *isn't* using a market-cost based allocation system is that the actual users of IP space don't want it to be that way.
To build on this post, we've gone through 14/8s just since January of 2010. Reclaiming a/8 would buy not even a month, and it would take more than a month to reclaim it.
Why do we have to have this conversation every single time the issue comes up? gods...
We have allocated 14/8 networks since January of 2010 (source: http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt )....meaning we go through about 1.5/8s every month. Reclaiming a/8 will take more than a couple weeks, so the simple fact is that reclamation isn't worth the effort: we would burn through several/8s in the time it would take us to reclaim one of them.
Why are they surprised that it broke out? That's probably part of the whole idea: seed the target area (presumably Iran) with flash drives with the worm on it, then sit back and wait. When world + dog gets infected, you know *someone* in your targeted area picked up the flash drives, so there's a very high likelihood that someone at your target site infected their PC.
Doing it this way allows the attacker to know that they've succeeded (and presumably to take whatever follow-up measure they had planned) without giving away who they are. Since *everyone* knows that the worm exists, there's no secret signal path to trace back to the author.
It's not that Star Trek is embarrassing (seriously? This is slashdot), the real problem here is that Speare's just indirectly admitted to having Wil Wheaton porn. *That's* embarrassing.
if you're looking for "valuable to the market", why are you going to college at all? Why not just go to a trade school? (Plumbers and electricians have much more stable positions, and a much lower unemployment rate than programmers...)
I strongly recommend reading Charlie Stross' "Common Misconceptions About Publishing" series of blog posts...the one about the actual publishing contract is here:
To quote one section of it relating to royalties (though, really, read the whole thing, it's interesting):
There's an escalator on royalties. I get 10% on the first 5000 copies of each book, 12.5% on the next 5000 copies, and 15% on all copies of each book sold thereafter.
So, the standard contract already (for publishing) already does slide royalties as sales go up. Sure, big names who will sell more books make more (Charlie Stross is not a starting author anymore, but he's certainly not a blockbuster seller, either)...but the industry is not nearly as rigid as you seem to think.
Oh, I'm familiar with the music industry practices...I interned at a record label in college, and they walked me through just how evil their artist contract was. The printing industry is quite different, though, especially in the standard contracts treatment of things like the rights assigned to the publisher, and how long the publisher owns those rights.
The copyright industry isn't just music...and not all of them are as abusive as the big record labels. They all rely on copyright, though, so destroying copyright punishes both the good ones, the bad ones, and the artists. To my eyes, that's not okay.
That sort of thing leads to all kinds of abuses. For example, say you have an author who writes something popular. If a printing company starts churning out copies of that & making a mint off of those sales, is it fair that the author gets none of that money? Or, to make it more directly about music, if a band performs live and someone records it, is it fair that the recording person makes all the money from selling the recording of that band? The recorder did almost no work, but, in the environment you're proposing, would make almost all the money. That doesn't seem right to me...
However, once those decisions pass the level from the internal to the external (or: From those hired for the job, to those elected/appointed into it), that long-term planning appears to break down, in favor of political squabbles.
As someone who's worked both sides of the public/private line, allow me to assure you that this is not unique to government. I've seen plenty of boneheaded design decisions made by upper management for obscure/bizarre/just-plain-wrong reasons in both private and government gigs.
But this is a problem if any stateful firewall is in the path, independent of whether it's doing NAT or not. For FTP, VoIP, torrents, etc, the firewall has to understand enough of the protocol to know what ports (and, in the case of VoIP, IPs) the callback connections are going to come from.
Removing the NAT does not remove the requirement for special content modules on your firewall, nor does it make the "end-to-end" principle become true again. True "end-to-end" connectivity on the internet has been dead for over a decade. It's not coming back.
IPv4 multi-homing can't be done without BGP, either. The requirements for Provider Independent address space in IPv6 are identical to the requirements for PI address space in IPv4 (at least in the ARIN realm). That's been true for at least 2 years. (and yes, shim6 is a mess...that contributed to the IPv6 PI requirements changing, since there wasn't a good alternative.)
- The lawyers here are Boies, Schiller & Flexner - the same ones that handled the SCO case's IP side. That went well for them. *fall into fits of derisive laughter*.
Did they fail? Novell isn't going to get any money, the lawsuits cost all sides far more than the value under contest, and most of them are still going on.
They failed if you believe that SCO was trying to really win. If their only tactic was to make the case as painful and expensive as possible (ie, to make it as attractive as possible for the defending party to settle), then Boies, Schiller & Flexner were massively successful.
Will your bank fight back, or will they see a government-issued identity certificate as a great way to minimize their risk from fraud? Same for Paypal. Also for online credit card purchases...the credit card companies would love to be able to say "you definitely authorized this purchase, since it was your certificate that was used to authorize the purchase."
Or your doctors: they're under a lot of pressure to use electronic health records...what better way for them to do that and still obey HIPAA rules than to require use of the gov't identity cert to see your test results?
I can see quite a number of ways where "the internet" will not fight back. Sites like slashdot might not care (though the credit card thing might get squirrelly), but any site that works with money or federally protected information will likely welcome the end of anonymity gladly.
Slashdot Mirror
But they all (intentionally, and by design) respond with the *same* *data*. The fact that there are 13 of them doesn't change the fact that there is only one root *zone*. What's being proposed is having different root zones, and so the assumption that the different roots will answer with the same information goes out the window.
If you're just going to mirror ICANN's root, why bother? (And why would ICANN or anyone tell you what the blacklisted domains are? They'll just drop them from the list of registered domains.)
DNSSec, won't solve the multiple-root problem, though. If each root has a separate trust entry point, and the sub-entries are correctly signed, you won't be able to tell which one's accurate, just that the answers are verified by the root. You'll still be left with very confused users.
This happens today with SSL, it's just harder to see: if two different SSL registries issue certs for "google.com", which one's right? If you trust both of them, then the answer is "both." The same will be true for the multiple DNS roots if they use DNSSec: you'll be able to tell for certain that the answer is correct from the point of the root, but which root is *right* will be far less clear.
Skip the government part (though, honestly, I see no reason why they'll operate the way you think they will)...what about businesses? For example: Apple.com. There are several companies that can claim honest ownership of the "apple" name as a business title (apple computers, apple records, etc). If each of them buys the apple.com name in a different root, which one's "right"? All of them have reason to argue they are...do you expect users to have to surf to all of them one by one to find the "right" apple.com? Seriously? So now the users have to know about all possible DNS roots? yuk.
You seem to be assuming that the DNS with multiple roots will have very few name collisions except for government-caused ones...I don't think that's a safe assumption at all.
Messy. Question: which root do you ask for google.com? All of them? What if they reply with different addresses...which one's right? The fact that there aren't good answers to these questions is a big part of why we've tried to avoid splitting the DNS roots.
That's not the point...the update requests you get from the "selected" ones: how do you know those are right? You don't. You're choosing to trust that select few. In this case, also, F, I, and J.root-servers.net are anycast...meaning that the IP you're trusting actually appears in multiple places at the same time, one of which is in China.
Better question: How do you know that the i.root-servers.net system that you're talking to is not the one in China?
IBM isn't interested in the technology, they're interested in the customers of that technology. IISI didn't have locked-in customers like the CIA, Netezza did.
Spoken like someone who's never had to deal with an abusive, insulting, arrogant jerk on their team. One destructive person can ruin the productivity of a half dozen people really quickly. Like it or not, how you work with other people matters.
It was targeted to be hierarchical as of 1999 (when that presentation was made). That has since been abandoned, and it's now somewhat more free-form the way IPv4 is. To my understanding, there are no restrictions on region or organization as to where IPv6 can be announced, and the criteria for IPv6 Provider-Independent IP space are identical to the ones for IPv4 space.
ARIN is neither the cause, nor the solution. ARIN is a community organization, so their policies are only what the greater ARIN community (ie, the present IP space users) ask for. Until the ARIN community asks for market-cost based allocation, ARIN won't do it. The converse is also true: the reason ARIN *isn't* using a market-cost based allocation system is that the actual users of IP space don't want it to be that way.
To build on this post, we've gone through 14 /8s just since January of 2010. Reclaiming a /8 would buy not even a month, and it would take more than a month to reclaim it.
Reclamation is wasted effort. Implement IPv6.
Why do we have to have this conversation every single time the issue comes up? gods...
We have allocated 14 /8 networks since January of 2010 (source: http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt )....meaning we go through about 1.5 /8s every month. Reclaiming a /8 will take more than a couple weeks, so the simple fact is that reclamation isn't worth the effort: we would burn through several /8s in the time it would take us to reclaim one of them.
Why are they surprised that it broke out? That's probably part of the whole idea: seed the target area (presumably Iran) with flash drives with the worm on it, then sit back and wait. When world + dog gets infected, you know *someone* in your targeted area picked up the flash drives, so there's a very high likelihood that someone at your target site infected their PC.
Doing it this way allows the attacker to know that they've succeeded (and presumably to take whatever follow-up measure they had planned) without giving away who they are. Since *everyone* knows that the worm exists, there's no secret signal path to trace back to the author.
It's not that Star Trek is embarrassing (seriously? This is slashdot), the real problem here is that Speare's just indirectly admitted to having Wil Wheaton porn. *That's* embarrassing.
if you're looking for "valuable to the market", why are you going to college at all? Why not just go to a trade school? (Plumbers and electricians have much more stable positions, and a much lower unemployment rate than programmers...)
I strongly recommend reading Charlie Stross' "Common Misconceptions About Publishing" series of blog posts...the one about the actual publishing contract is here:
http://www.antipope.org/charlie/blog-static/2010/02/cmap-3-how-books-are-sold.html
To quote one section of it relating to royalties (though, really, read the whole thing, it's interesting):
So, the standard contract already (for publishing) already does slide royalties as sales go up. Sure, big names who will sell more books make more (Charlie Stross is not a starting author anymore, but he's certainly not a blockbuster seller, either)...but the industry is not nearly as rigid as you seem to think.
Oh, I'm familiar with the music industry practices...I interned at a record label in college, and they walked me through just how evil their artist contract was. The printing industry is quite different, though, especially in the standard contracts treatment of things like the rights assigned to the publisher, and how long the publisher owns those rights.
The copyright industry isn't just music...and not all of them are as abusive as the big record labels. They all rely on copyright, though, so destroying copyright punishes both the good ones, the bad ones, and the artists. To my eyes, that's not okay.
That sort of thing leads to all kinds of abuses. For example, say you have an author who writes something popular. If a printing company starts churning out copies of that & making a mint off of those sales, is it fair that the author gets none of that money? Or, to make it more directly about music, if a band performs live and someone records it, is it fair that the recording person makes all the money from selling the recording of that band? The recorder did almost no work, but, in the environment you're proposing, would make almost all the money. That doesn't seem right to me...
However, once those decisions pass the level from the internal to the external (or: From those hired for the job, to those elected/appointed into it), that long-term planning appears to break down, in favor of political squabbles.
As someone who's worked both sides of the public/private line, allow me to assure you that this is not unique to government. I've seen plenty of boneheaded design decisions made by upper management for obscure/bizarre/just-plain-wrong reasons in both private and government gigs.
But this is a problem if any stateful firewall is in the path, independent of whether it's doing NAT or not. For FTP, VoIP, torrents, etc, the firewall has to understand enough of the protocol to know what ports (and, in the case of VoIP, IPs) the callback connections are going to come from.
Removing the NAT does not remove the requirement for special content modules on your firewall, nor does it make the "end-to-end" principle become true again. True "end-to-end" connectivity on the internet has been dead for over a decade. It's not coming back.
Comcast is well past the "limited trial" phase. They are doing limited trials for their users, but they have been deploying it for their management of the cable modems and their backbone for years.
IPv4 multi-homing can't be done without BGP, either. The requirements for Provider Independent address space in IPv6 are identical to the requirements for PI address space in IPv4 (at least in the ARIN realm). That's been true for at least 2 years. (and yes, shim6 is a mess...that contributed to the IPv6 PI requirements changing, since there wasn't a good alternative.)
It won't be long...the weapon part (or at least fireworks) has already been done
- The lawyers here are Boies, Schiller & Flexner - the same ones that handled the SCO case's IP side. That went well for them. *fall into fits of derisive laughter*.
Did they fail? Novell isn't going to get any money, the lawsuits cost all sides far more than the value under contest, and most of them are still going on.
They failed if you believe that SCO was trying to really win. If their only tactic was to make the case as painful and expensive as possible (ie, to make it as attractive as possible for the defending party to settle), then Boies, Schiller & Flexner were massively successful.
... will just fight back.
Will it?
Will your bank fight back, or will they see a government-issued identity certificate as a great way to minimize their risk from fraud? Same for Paypal. Also for online credit card purchases...the credit card companies would love to be able to say "you definitely authorized this purchase, since it was your certificate that was used to authorize the purchase."
Or your doctors: they're under a lot of pressure to use electronic health records...what better way for them to do that and still obey HIPAA rules than to require use of the gov't identity cert to see your test results?
I can see quite a number of ways where "the internet" will not fight back. Sites like slashdot might not care (though the credit card thing might get squirrelly), but any site that works with money or federally protected information will likely welcome the end of anonymity gladly.