ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Number of Firewall/NAT Users

2001-01-24 12:50:03
from [Stephen Kent] [Permanent Link] 
Ed,


<snip>

Perhaps we agree that DNS names depend on IP numbers as part of their trusted
context, but IP numbers do not depend on DNS names.

However, certain design choices in the evolution of the DNS,
since long ago, have made users fully dependent on the DNS for
certain critical Internet services -- which choices further
strengthened the position of DNS name registration as the single
handle of information control in the Internet.  And, in a
reverse argument, its single point of failure.



Indeed, the DNS was never intended to be essential to the
Internet, since all Internet hosts are accessible by their
IP numbers alone -? however, those engineering choices in the
design of the resource records and various e-mail protocols make
it nowadays impossible for an average user to send or receive
e-mail in the Internet without a DNS service.  In short, DNS names
have become the addresses of mailboxes and the addresses of
e-mail forwarders in MX resource records.  Or, you are required to
have a matching reverse DNS that you do not have. Which is
another misplaced requirement, since why should you trust a second
query to a system you do not trust in the first place? This is also
relevant in terms of failure and control analysis because the e-mail is
by far, the most important application on the Internet for many users.
Prior to the existence of DNS, we relied on the hosts.txt file which was maintained at a central site and downloaded (typically daily) by all the hosts. There has long been a reliance on a name to address translation facility because addresses are unacceptable as human user inputs to applications and because network management requires an ability to change the address of a host. (In the ARPANET days, the host addresses were derived from IMP port numbers, so any move of a host from one port to another, e.g., due to a local hardware or comm line failure, required changing the address of the host.) So I can't agree with your assertion that the DNS (or an equivalent name to address mapping service) was never intended to be essential to the Internet 


Further, by placing the decisions of network address assignment
(IP numbers) together with DNS matters under the ruling of one
private policy-setting company (ICANN), we see another example
of uniting and making all depend on what is, by design, separate.
The needs of network traffic (IP) are independent of the needs
of user services (DNS). They also serve different goals, and
different customers. One is a pre-defined address space which
can be bulk-assigned and even bulk-owned (you may own the right to
use one IP, but not the right to a particular IP), the other is
a much larger and open-ended name space which cannot be either
bulk-assigned or bulk-owned. They do not belong together.
They are separated one level down from ICANN, where we have TLDs for names that are distinct from regional registries for addresses and other numbers. Having one group coordinate these two distinct assignment activities offers benefits, since both need some central management authority, as well as drawing criticism. 

Steve
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: I-D ACTION:draft-jaffer-metric-interchange-format-02.txt, Aubrey Jaffer
Next by Date:  Re: Number of Firewall/NAT Users, Ed Gerck
Previous by Thread:  Re: Number of Firewall/NAT Users, Keith Moore
Next by Thread:  RE: Number of Firewall/NAT Users, Kyle Lussier
Indexes:  [Date] [Thread] [Top] [All Lists]