Forgot your password?
typodupeerror
The Internet Technology

Paul Mockapetris On The Future of DNS 188

Posted by timothy
from the smooshing-in-extra-stuff dept.
penciling_in writes "In a CircleID article called Letting DNS Loose, Paul Mockapetris, the inventor of DNS and Chief Scientist and Chairman of Nominum, gives a good indication of what is to be expected in the upcoming years when it comes to data riding on DNS: "RFID tags, UPC codes, International characters in email addresses and host names, and a variety of other identifiers could all go into DNS, and folks have occasionally proposed doing just that. It's really just a question of figuring out how to use the DNS -- it's ready to carry arbitrary identifiers." According to Paul, there are 40 or so data types to be added to DNS: "In fact the whole ENUM scheme is built out of classical DNS technology, and NAPTR is really just the latest data type to be added to the DNS. NAPTR is also just an extension of SRV, which was an extension of MX, which are DNS data types that Active Directory uses to start itself and the Internet uses to route each piece of mail." Paul also clarifies the recent BBC story previously discussed here on Slashdot."
This discussion has been archived. No new comments can be posted.

Paul Mockapetris On The Future of DNS

Comments Filter:
  • by GregThePaladin (696772) on Tuesday January 06, 2004 @08:54PM (#7898243) Homepage Journal
    I, for one, welcome our new DNS overlords. Please, don't hate me.
  • Hmmm (Score:3, Funny)

    by Shut the fuck up! (572058) on Tuesday January 06, 2004 @08:54PM (#7898245)
    I sure hope they can resolve all the problems.
  • by thedillybar (677116) on Tuesday January 06, 2004 @08:56PM (#7898271)
    All the more reason to make sure this "Sitefinder" service gets shutdown.

    Who knows what Verisign will do when someone scans an "unregistered" barcode...

  • 'classical DNS technology'

    But to me classical means outdated.
  • I would like to propose a new "IN GEEK" resource record for DNS. So I can find myself on the internet easier!
  • naming conventions (Score:4, Interesting)

    by Anonymous Coward on Tuesday January 06, 2004 @09:01PM (#7898322)
    Naming conventions are pretty useless these days. The ``big'' TLDs like .com, .org, .net, etc. are all remnants from the old days when the Internet was still US-only. Nowadays we have all those country domains, which may or may not implement some scheme to indicate the type of site (.uk does, .nl doesn't).

    Two things make the TLDs pretty much meaningless: a traditional TLD (.com etc.) does not neccesarily indicate the type of site, and a country code does not necessarily indicate the Real World location of a site (.nu anyone?). Besides, ``location'' is a very vague notion on the Internet. If my site has a .nu domain, the server is in California, and my content comes entirely from the Netherlands, then what country does my site belong to? So perhaps we should just dispense with the current naming scheme altogether and just have one word as name for the main site (I think RealNames attempted this and failed). Instead of http://www.google.com/ one would just write ``Google'' (or maybe ``google''?), dropping the http://www which is fairly redundant when using a webbrowser (yes, I know that ``www'' indicates the hostname, but who cares what the hostname is, I just want the site), and the TLD which is basically meaningless.

    Just an idea for the more-or-less distant future.
    • Some browsers already do this. For instance, i typed "google" into Mozilla, and got to google.com just fine.
    • by ultrapenguin (2643) on Tuesday January 06, 2004 @09:10PM (#7898402)
      Internet explorer can also auto-add www. + .com if you press ctrl+enter while typing the url.
      so google + ctrl/enter gives you what you want.
      This also seems to depend on language settings - pressing ctrl+enter with regional settings set to "japan" will prepend www. and append .co.jp

      I think MYIE2 has different modifiers, ctrl+enter adds .com, shift-enter adds .net, etc.
    • by PacoTaco (577292) on Tuesday January 06, 2004 @09:37PM (#7898587)
      Two things make the TLDs pretty much meaningless: a traditional TLD (.com etc.) does not neccesarily indicate the type of site

      Sure it does:

      .com = porn
      .net = porn
      .org = porn
      .
      .
      .

    • My browser is smarter than that. I just write the name of the site and it automatically does an "I'm feeling lucky!" google search. Gets'em right every time!(almost)
    • by mauthbaux (652274)
      Personally, I always thought that pr0n sites should be .sex sites... for instance teens.sex girls.sex...(or if you prefer) goat.sex It would make pr0n easier to find for those who were looking for it, and easy to avoid for those looking to avoid it.... just my 2 cents.. ~mauthbaux
    • dropping the http://www which is fairly redundant when using a webbrowser (yes, I know that ``www'' indicates the hostname, but who cares what the hostname is, I just want the site

      www is the service.
    • by Malcontent (40834)
      There is no reason to limit TLDs to just a handful. It's just artificial scarcity.

      We should have thousands of TLDs. In fact every domain name should be a TLD. You should go to business.exxon not exxon.com.

      • No, the reason TLDs are limited is so that the root nameservers only need to keep state for a few different identifiers. If you allow an arbitrary number of them, the roots will slow down to a crawl.

        This is the same reason that class C IP addresses are such a problem - there's too many of them to do a lookup quickly.
      • You're just moving the problem to a (slightly) different place. If the company called Exxon owns the exxon TLD then I can't use it no matter how much I want it. How is that different from the company Exxon owning exxon.com?

        The scarcity exists because more than one person/organization wants to be identified in the most convenient way. If the most convenient way is a TLD instead of a .com then you have the exact same problem.... more than one person/org will want it.

        TW
    • by iksowrak (208577) on Tuesday January 06, 2004 @11:51PM (#7899711)
      Domains aren't arranged the way they are just as a convention of days past. They're arranged in a hierarchical to distribute the load of DNS lookups as well as provide as logical way to diving responsibilities for different domains (zones). Also, the hierarchical structure allows for duplicate names as long as those two names aren't sibling nodes in the DNS tree (I can have google.com and google.noodle.com). With single word domains all of a sudden your available choies would decrease dramatically.
    • You mean like, AOL Keywords.. Ugh, no thank you. Its not really broken so dont fix it.

      If it pains you so much to type in yahoo.com (as if you really need www. anymore, most all sites work fine without it) then just type in "216.109.118.73" and be done with it.
    • Instead of http://www.google.com/ one would just write ``Google'' (or maybe ``google''?), dropping the http://www which is fairly redundant when using a webbrowser (yes, I know that ``www'' indicates the hostname, but who cares what the hostname is, I just want the site), and the TLD which is basically meaningless.

      Um, bad example, since Google makes use of the TLD. Google.com is generic searching, but google.co.uk has an option to restrict searches to UK sites, google.co.jp has a Japanese interface and a
  • mDNS & Rendezvous? (Score:5, Informative)

    by AT (21754) on Tuesday January 06, 2004 @09:02PM (#7898333)
    I'm surprised that mDNS wasn't mentioned in the context of the future of DNS. It is, after all, the technology behind Rendezvous [apple.com], Apple's protocol for automatic service advertising and configuration on local LANs. mDNS is basically just normal DNS multicasted, with some conventions on how to represent services.

    mDNS is already used for zero-configuration networking, sharing iTunes playlists, and finding other iChat users on a local LAN. Since it's based on DNS, its both simple and has mature implementations. And it's open source; Apple provides a working reference implementation for MacOS 9, MacOS X, Windows, and Posix (including Linux).
    • by keithmoore (106078) on Tuesday January 06, 2004 @11:19PM (#7899433) Homepage
      mDNS is a huge mess, mostly because Apple started deploying the thing without realizing that you'd have different hosts on the same network, some using mDNS and some using DNS (since not all hosts that are connected will see the same peers) and without bothering to figure out how to keep mDNS and DNS in sync.

      the last time I looked the problem still wasn't solved. but the draft [ietf.org] is in revision 27 after being taken on by an IETF working group, and still isn't done yet, which should tell you something about how ready it was for prime time when Apple shipped it.

      the rest of Rendezvous (v4 linklocal addressing and DNS resource discovery) is also a huge mess, but that's another topic.
      • There is also the very serious issue of conflicts and contention checking. mDNS is a man-in-the-middle attackers wet dream.
        • but being limited to the local. link the mitm has to plug into your property; it is a problem but it doesn't expose you to across-the-globe script kiddies (and on the local link arp poisoning already does the trick even with traditional DNS) Being limited to your private network I think mDNS can easily integrate DNSSEC (whoever needs this level of security can fully deploy it independently)
      • the last time I looked the problem still wasn't solved. but the draft is in revision 27 after being taken on by an IETF working group, and still isn't done yet, which should tell you something about how ready it was for prime time when Apple shipped it.

        Of course, a huge number of people actually use Rendezvouz to do useful things on their networks, which makes your "failure to solve the problem" complaint seem rather meaningless.

        Criticizing Apple for shipping product when the IETF is in revision twen

        • Of course, a huge number of people actually use Rendezvouz to do useful things on their networks, which makes your "failure to solve the problem" complaint seem rather meaningless.

          You're taking my comment out of context. Yes, Rendezvous can be useful, for specific apps in specific contexts. But it also causes lots of problems when used by apps in general. Apple has tried to promote it as a general-purpose solution for name lookup on local networks, and Rendezvous is really poorly designed for that.

          Cr
  • by Lxy (80823) on Tuesday January 06, 2004 @09:04PM (#7898354) Journal
    If it needs a [UPC|RFID|Serial number|unique ID of any kind] why not give it an IPv6 address? It's a well designed heirarchical system, and DNS is already capable of handling it.
    • why not give it an IPv6 address

      $ ping6 -c 5 2001:4f8:4:7:2e0:81ff:fe21:6564
      --- 2001:4f8:4:7:2e0:81ff:fe21:6564 ping6 statistics ---
      5 packets transmitted, 0 packets received, 100% packet loss

      Somebody stole a book!
    • Because these are not devices that communicate with the Internet Protocol. Just because there are a lot of IP addresses in IPv6 doesn't mean we should start handing them out to everything that needs an ID number.

      There still may be merit to considering the use of one common "ID space" for drawing these IDs from (perhaps allocating a prefix to each type of ID), but this doesn't really seem useful.
  • by Anonymous Coward
    For example, DNS entries should have additional information stored within them, such as classifications as to whether the site is:

    a) Adult

    b) Shopping

    c) News

    d) etc.

    This way, I can prevent myself from accidentally going to hidden goatse.cx links that appear under more innoculous DNS entries such as "www.welcometomysite.com".

  • security? (Score:4, Insightful)

    by MrSpiff (515611) on Tuesday January 06, 2004 @09:24PM (#7898490) Homepage
    what about security issues? BIND has as long history of bugs and with the recent threats to the root DNS servers, I think the real issue is building a secure DNS service rather than extending the data it carries.
    • (Score:2, Insightful)

      You're kidding, right? Score: -1: Troll.

      The article talks about DNS, not a specific implementation of it. Only if you won't look further than how long your nose is, you will come up with these kind of comments.
      • You're kidding, right? Score: -1: Troll.

        I hope you're kidding. The ability to forge DNS replies, which has massive security implications, is completely implementation-INdependent (granted BIND's implementation makes (made?) it much easier, but it's still possible, and very easy with access to the victim's network).
  • Not so sure... (Score:4, Informative)

    by rritterson (588983) * on Tuesday January 06, 2004 @09:26PM (#7898511)
    DNS is great in it's hierarchal nature- one can simply delagate domains to another server, which keeps what ever DNS is managing the root (like slashdot.org.) from getting overloaded with requests.

    However, how is it going to work if we add Barcodes, RFIDs, etc to DNS? Are we going to create a RFID domain? RFIDs are unique numbers, AFAIK, which is more like an IP address, which is exactly what DNS is designed to avoid the usage of! Will i go buy tee.shirt.yellow.minnesota.walmart and have the register go look up the RFID and price information? That would seem backwards.

    Also, we're going to need many more DNS servers if we are going to piggy back those sorts of services on the system. While I did RTFA, it seemed short on details. I would assume a retailer using DNS for RFID would have a private DNS network, much the same way Microsoft's Active Directory normally uses one (or maybe not- maybe one would just need a seperate RFID network of servers, since there is nothing inherantly private about RFID numbers and it might be helpful for a retailer to make the RFID lookup ability public).

    Yet, that would only lead back to my original question. Are you going to seperate RFIDs into domains by number and then delgate them? That seems silly- imagine trying to put MAC address lookups on DNS. Does one retailer need to be able to access the RFIDs of another? Are we going to need to create root servers for RFID lookups? Please don't use those same root servers and please don't merge the network with the same public internet DNS system.

    Perhaps the article was just short on details, or maybe I missed something, but I'm wary of using DNS for the sort of system the article described- at least before more details emerge.
    • Yet, that would only lead back to my original question. Are you going to seperate RFIDs into domains by number and then delgate them? That seems silly- imagine trying to put MAC address lookups on DNS.

      RFIDs are unique numbers, AFAIK, which is more like an IP address, which is exactly what DNS is designed to avoid the usage of!

      Please think of in-addr.arpa and ip6.int? It does exactly what you describe as your problem.

      Furthermore:
      DNS is great in it's hierarchal nature- one can simply delagate domains t
    • However, how is it going to work if we add Barcodes, RFIDs, etc to DNS? Are we going to create a RFID domain? RFIDs are unique numbers, AFAIK, which is more like an IP address, which is exactly what DNS is designed to avoid the usage of! Will i go buy tee.shirt.yellow.minnesota.walmart and have the register go look up the RFID and price information? That would seem backwards.

      Euhm... the extensions are not to be used by you. Forget humans. Think machines.
    • Will i go buy tee.shirt.yellow.minnesota.walmart and have the register go look up the RFID and price information? That would seem backwards.

      Right. He's just saying that we should use DNS, as it's lightweight and globally used, to distribute universal identifiers other than domain names -- in this case, RFIDs, which would only forward-resolve. Useful for scanning a product and finding out what it is.

      My guess is that there'd just be a new TLD for each, given that RFIDs (I assume) and UPC codes are univer
  • Someone really should have asked him about any plans to make DNS more peer-to-peer oriented, like the recent project to make BitTorrent .torrents part of DNS, found here:

    http://www.netrogenic.com/dnstorrent/ [netrogenic.com]
    • dnstorrent doesn't make any changes to DNS, all it does is allow you to carry non-dns type data on a DNS server.
    • to make DNS more peer-to-peer oriented

      I'm not sure what you mean with it, DNS has always been client-to-server, only in a couple of cases (that is for servers which host the same domain) it is server-to-server. And then, multimaster domains can be used in that situation.

      So please explain to me why DNS should be P2P oriented.
    • God I hope not.

      The reason that DNS works and is so successful is because it has root servers. It's dsitributed and yet authoritive.
  • I'm surprised there aren't records for 'WEB' and 'FTP' and the like. Why are we still relying on well-known-ports so much? DNS could point to many different types of resources similar to 'MX'...
    • Re:WEB/FTP (Score:5, Informative)

      by emptybody (12341) on Tuesday January 06, 2004 @09:39PM (#7898599) Homepage Journal
      Actually, there already are provisions for this.
      The SRV record, defined in rfc2782 [ietf.org], is used to store a HOST:PORT pair

      When will browsers (or anything else for that matter) start supporting this???

      Here is a (possibly outdated) list of software that supports the SRV record [vanrein.org].

      • It's kind of a chicken and egg problem. You'll still have to deal with applications that expect the well-known ports. For example, if you move mail off port 25, you won't be able to receive messages from clients that can't (or won't) look up the correct port in DNS. Rather than listening in two places (and making a mess of your firewall rules) it will probably be easier to just leave things alone.
      • if you read rfc2782 you will see that SRV isn't intended to be retroactively applied to all applications - because it would break compatibility with apps that expected to use default port numbers. SRV should only be used by applications which are explicitly specified to use it, and HTTP/web browsing hasn't been specified to use SRV.

        to really fix web browsing it should use NAPTR records in addition to SRV records - that would allow arbitrary mappings from from any URI type to any suitable access protocol,
    • Re:WEB/FTP (Score:3, Insightful)

      by MavEtJu (241979)
      I'm surprised there aren't records for 'WEB' and 'FTP' and the like.

      There are three ways this has been resolved in the past and today:

      - portmapper, where you ask the machine (think of it as a DNS on the machine itself for port-numbers) on which port the nfsd listens.

      - hostnames: ftp.freebsd.org is the ftp-server, www.freebsd.org is the www-server. Yes, still port 21 and 80, but you can figure out which hosts to use for which protocol.

      - SRV records, which you ask for a service and a domain name: _smtp._
  • by b00m3rang (682108) on Tuesday January 06, 2004 @09:32PM (#7898550)
    DNS isn't nearly bloated enough. Let's make all DNS servers run Active Directory on Windows, so we can store phone numbers, golf scores, medical records, and political party affiliation. Then, since it's an 'improvement', we can all rest assured our security concerns have been addressed. Let's get BIND rock solid, then get fancy if you're into that sort of thing.
    • Re:They're right... (Score:2, Informative)

      by 0racle (667029)
      new to ldap huh? DNS doesnt store the actuall AD Data, those are on datafiles on the AD Servers (Ya i was shocked at that too), DNS simply holds pointers to find the services supplided and used by the directory, just like every other use of DNS.
    • DNS isn't nearly bloated enough.

      You store in it what is needed for you.

      You will probably never store RFID tags in it, but other people (companies) might want to do so. To standardise the resource-records for it, it will be possible for company A to share its information with company B without having to write a conversion tool[*].

      [*] For the XML-shouters now: real time conversion tool :-)
  • I think he should write an article entitled "How to Survive Elementary School with a Last Name like Mockapetris."

    Because, only in elementary school would someone make fun of someone else's name...wait...
  • by BritGeek (736361) <biz@NoSPaM.madzoga.com> on Tuesday January 06, 2004 @09:45PM (#7898632)
    While the main point of the article is interesting, the rather depressing part - about the politics of the ITU, ICANN, etc. - is that unless we can get these oafs to work together, we are totally hosed. Having witnessed some of the machinations that goes on in at least a couple of these groups, I despair of whether we will get anything rational out of all of this. (I would much, much rather see sausages being made, than see these groups "working' again...)
    • DNS needs stability and property rights for existing names and uses,
      and therefore requires somebody who can manage, second, the DNS also
      needs somebody with the ability to create revolutionary change and
      expand the technology into international character sets,telephony
      applications, and new TLDs, which will require someone who is
      visionary and not afraid to turn the sacred cows of the International
      Telecommunication Union and the Internet Society into hamburger if
      they get in the way.
  • by Hard_Code (49548)
    Isn't the design of DNS especially relevant to host names because hosts, and hence host names are dynamically distributed?

    Why would it necessarily follow that we would want to use DNS to store other arbitrary types of data (that do not necessarily have a decentralized nature) instead of a central database?
  • by bigberk (547360) <bigberk@users.pc9.org> on Tuesday January 06, 2004 @09:52PM (#7898680)
    Give me a break. DNS itself is virtually unchanged over all these years. You've pretty much got SOA, NS, A, CNAME, and MX records and some other record types for meta information. RFID? Active Directory? Ppphtt.
    • Too complicated

      Not really. Very easy to query, very easy to debug. (the magic is in the backend of the DNS server which has all the data).

      I think the thing is that you don't know the problems people have ("I have this shitload of data and I need people all over the world to be able to query it, how can I do this in a distributed and efficient way?")

      Sometimes you need to look further than the size of your nose ;-)

      Edwin
  • by Anonymous Coward on Tuesday January 06, 2004 @10:14PM (#7898853)
    Let's see...
    • rrset-order is still broken.
    • GSS-TSIG support is still missing.
    • Strange multi-threading bugs still exist
    • Awful security history isn't behind it yet.
    Oddly enough, the expensive Nominum commercial product has all these things fixed and BIND does not, even though ISC and Nominum are the same set of folks, in the same building.

    Does this sound like bullshit to you ? If so, see the following:

    • Read the bottom parts of this [cr.yp.to] and the links at the bottom of this [cr.yp.to]
    • Nominum/ISC relationship described here [cr.yp.to]
    Of course, the trouble is that there's not many alternatives. DJBDNS [cr.yp.to] is stable, but missing features and has an odd "semi-open-source" license. ( Also, if you read some of the links, Dan's a really cranky source of support :) PowerDNS [powerdns.com] is promising, but just got recursion.

    AAARRGGHH.

  • Mockapetris sounds like some weird varient of tetris.
  • by thona (556334) on Wednesday January 07, 2004 @02:21AM (#7900628) Homepage
    ::International characters in email addresses BAD idea. VERY bad idea. I can really see an american struggling over his english keyboard enting a norwegian char to send an email to his norgwegian partner. Funny (with me being in german) That said, for me it is NOT that funny anymore (being in german) when I have to figure out a way to enter a chinese char into a chinese email address given that I have no clue about how their char system works at all. PLEASE spare us international chars in emails and wbsite domains.
    • it is NOT that funny anymore (being in german) when I have to figure out a way to enter a chinese char into a chinese email address given that I have no clue about how their char system works at all.

      Well, presumably that Chinese person has no interest in receiving E-mail from people who don't speak Chinese, so I don't see the problem.

  • Is it just me, or does Mockapetris sound like a tetris-like game played with falling five-block pieces that make fun of you as they descend?

Debug is human, de-fix divine.

Working...