ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Decentralising the DNS

2009-06-15 20:11:47
from [Phillip Hallam-Baker] [Permanent Link] 
The .com zone already has multiple entry nodes. Maybe not the design
you would propose though...

Given the relatively small size of the zone files compared to the
memory capacity of modern machines, you can argue for a one or two
tier system depending on your hardware platform characteristics. DNS
was designed to work within the constraints of a single tier
architecture, it has grown above the rate of Moore's law at times, but
is not growing at that rate recently.

DNS lookups are highly concentrated in a subset of domains. A more
appropriate architecture for the DNS would be a 1.5 tier architecture
where the front end servers maintain the x% of domains that answer 99%
of queries locally and go to second tier systems for the other 1%.


You say you have no political agenda, but a change of that magnitude
would have to be driven by a powerful political incentive.

A lot of the costs of running core DNS come from the cost of dealing
with large scale malicious attacks. Here there is a problem with the
economics of the Internet, the ISPs have little incentive to stop
botnets on their local networks mounting DDoS attacks on the DNS roots
as they would bear the costs while the registry sees the benefit.

ANYCAST has an interesting effect in that it means that ISPs who
negligently allow botnets to perform DDoS attacks are going to see
their own network response impacted in direct proportion.

A network architecture in which the large ISPs received the major DNS
feeds as zone transfers and took charge of the local distribution
themselves would be a lot more resilient than the current arrangement.
Unfortunately our current political constraints lock us into an
architecture that is unnecessarily vulnerable to DDoS attack and does
not impose accountability on the sources of that attack. Nor are AOL,
Comcast etc going to be too interested in taking on the costs of
distributing DNS locally unless ICANN is willing to share some of that
$6.50 per domain revenues.


As with a lot of Internet economics, it makes little sense unless you
start to try to propose something better. At root is the problem that
each communication has two sides and it is not at all clear which side
is obtaining the real value from the communication. In the telephone
system the assumption is (usually) that the initiator of the call is
getting the value. In the Internet the costs are too small to measure
at the fine grain level but enormous when aggregated.

On Fri, Jun 12, 2009 at 10:55 AM, Sabahattin
Gucukoglu<mail(_at_)sabahattin-gucukoglu(_dot_)com> wrote:

Silly question, I'm sure - any chance of putting the DNS into a gigantic DHT
and spreading the entry nodes liberally about the planet?

Cheers,
Sabahattin

PS: No political agenda implied.

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf





-- 
-- 
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Let's move on - Let's DNSCurve Re: DNSSEC is NOT secure end to end, Phillip Hallam-Baker
Next by Date:  Re: Let's move on - Let's DNSCurve Re: DNSSEC is NOT secure end to end, Phillip Hallam-Baker
Previous by Thread:  RE: Decentralising the DNS, Tony Finch
Next by Thread:  Nomcom 2009-10: Third Call for Volunteers, IETF Secretariat
Indexes:  [Date] [Thread] [Top] [All Lists]