[dns-operations] NeoDNS : A new DNS like the one we know

Shane Kerr shane at time-travellers.org
Mon Aug 29 01:58:14 UTC 2016


At 2016-08-28 11:25:42 -0400
Andrew Sullivan <ajs at anvilwalrusden.com> wrote:

> On Sun, Aug 28, 2016 at 01:21:15PM +0800, Jaxson Peng wrote:
> > the url: https://rot256.io/post/neodns/
> > How do you think of it?  

Basically I think that if we had block-chains 20 years ago we wouldn't
have needed ICANN. (It's an open question whether still we need ICANN
now that we do have block-chains...) ;)


> Like every other single-purpose replacement of the DNS that's been
> cropping up, this scratches one itch without even thinking about all
> the other itchy parts of the DNS.

It also jumps straight in to the solution space.

For the record, some of the parts that I thought might be itchy are in


> If we're actually going to replace the DNS, we probably ought at least
> to include other problems people have had with the DNS in the problem
> statement.  Variants/synonyms is one obvious example.

Again for the record, there was an informal-but-very-organized non-BoF
at the last IETF where some of the issues around variants/synonyms were
discussed. Minutes here:

> I am assuming, but I can't tell from the text, that this doesn't apply
> only to TLDs.  If it _does_, then this appears to be an attack at the
> DNS tree.
> Finally, this appears to solve the very same problem as is solved by
> DNSSEC, without being an obvious improvement.  It might be an
> improvement in that it doesn't rely on a root key, but something
> better than assuming that into the requirements seems to be needed.  I
> haven't done the analysis to figure out how this works through caches.

I prefer to think of blockchain as merely a specific type of shared
management for DNS.

I think that there are two potential areas where a shared management of
a domain can be beneficial today, which I very briefly mention here:


Those are:

1. The root zone
2. Zones using a registry/registrar model

In the case of the registry/registrar model, I don't see any real
benefit from *exposing* the shared management of the zone to the DNS;
current DNSSEC technology can use a magically-generated DS record to
point to the magically-generated zone that is the result of blockchain

In the case of the root, I do see a big benefit, if you consider
getting rid of ICANN's role in maintaining the root zone a benefit.
However, the details of how the trust model and management of the zone
would work would indeed be tricky. For example, the NeoDNS document
does not discuss how domains are added or removed, or any sort of
recovery process for lost or compromised private keys. Probably the
"50% attack" is actually a feature in this case, and could be used for
such purposes, but that needs to be explored.

I also suggest that any such change to the root management is completely
impossible in today's profit-driven and nationalistic setup. Cui
bono? ;)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160829/56feee2f/attachment.sig>

More information about the dns-operations mailing list