[dns-operations] blockchain DNS
Jimmy Hess
mysidia at gmail.com
Tue Jan 30 23:12:53 UTC 2018
On Mon, Jan 29, 2018 at 12:46 PM, John R Levine <johnl at taugh.com> wrote:
> We now return you to the actual DNS, I hope.
As if we ever left the actual DNS in the first place.
There is that fundamental problem that could be solved by such an approach
in principle,
but so far there's no quality design or reference implementation yet; it's
something that
some person or group could theoretically put together some day, but it
would be a
much harder protocol design and software engineering challenge than
designing the
current DNS would have been....
The way I am viewing this is:
Namecoin/DNSChain are interesting experiments, but neither will ever be
the internet's
DNS -- there's a difference between a key-value store that can handle 1
million keys,
and one that can handle 800 billion keys with a change velocity of 1%+ of
the keys
per 24 hours --- and things on a single blockchain are globally
distributed:
That doesn't mean blockchain can't be part of the solution, BUT you can't
just
take the simplest possible implementation.... fork Bitcoin or Litecoin,
make
a few tweaks to wedge in the data you want to track, and expect a
reasonable
result given how VAST the DNS is.
This isn't the solution for the same reason the current DNS doesn't RSYNC
the
daily changes to .COM TLD servers' database to every end user's
computer, and
the same lesson about why basic BTC will not handle microtransactions:
bandwidth is limited, it is necessary to control block sizes, and time
throughput
on a blockchain is thus a small finite resource. A single blockchain
would never be able to grow to a tenth the capacity necessary, before the
distributed network would freeze to a standstill due to scalability
limitations.
Consider "uses a blockchain to accomplish X" --- as one aspect of a
protocol or
system. You could equally ask "What about hash-table-based DNS, or
what
about Btree-based DNS?" So what..... the blockchain is just a way of
formulating or structuring data that you can use to achieve the byzantine
fault
tolerance to resist malicious attacks within the design of a trustless
decentralized system.
Experiments such as Namecoin are interesting, but let's see a
from-the-ground-up
implementation --- specifically designed for DNS that learns the
lessons that
software designers should learn from BTC, LTC, and PoS/PoSV-based systems;
to be viable it should consider the VAST number of domains and nameservers
on the
internet, realistic frequencies of nameserver changes, And provide the
security
methods people need to protect their names (Such as
Multiple-Signature-Required
actions, AND capabilities to Delegated Limited authority to different
users).
The DNS registry is not (or should not) be the content police force; they
>> may be targeted because the central entity appears a "responsible"
>> authority for the presence of a domain in the DNS: ...
>>
>
> That horse left the barn decades ago. Here in the real world registries
> take down fraudulent and illegal names all the time. And I mean all the
> time, thousands or tens of thousands a day.
>
The registries do, but (1) That capability of destroying information
without consent is
one of the problems with the DNS that should get solved, and likely part
of the
motivation behind some countries that are reportedly on the verge of
forking the
root and having their own national DNS roots or "backup" roots.
(2) That removal of "illegal" or undesired names or enforcement of other
policies is not at all
the purpose of DNS registries --- that is not why they have been chosen,
nor why resolvers
use the registries: they could cease this activity, and there would be
almost no complaints
from end users or resolver operators.
(3) Name removal has almost zero value: It can do almost no good, since
fraudulent
and illegal and unwanted typo-names are ubiquitous -- other means are
already
required to deal with this: by the time a DNS registry moves from report
to action
it's very little and extremely late, And, so malware actions continue,
they are
just biased towards new registrations and a larger number of domains that
took less than 60 seconds and less than $10 to register.
(4) Erroneous removal occurs and can cause great harm. Malicious and
erroneous
complaints are sometimes made. There are reports of registrars getting it
wrong
and turning off resources that are ultimately neither fraudulent, nor
illegal, or on
abuses of minor scope unrelated to DNS and not authorized or aided by the
domain
holder, where DNS resources never should have been suspended; this
results in loss of
access to resources, and can destroy the business operation of an impacted
domain
registrant.
Each removal of a legitimate name outweighs the combined benefit of
registry name removals of bogus or malicious names that ever happened.
--
-JH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180130/f947e30f/attachment.html>
More information about the dns-operations
mailing list