On Wed, 4 Oct 1995, Kenneth E. Rowe wrote:
I don't want to go too far on this tangent, but ...
...
2) the move over the next few years will be toward URN's. These are
independent of DNS resolvers. They provide location and replication
transparency (among other things).
Yeah, yeah. The mythical URN. Some people cliam they are suppsed to be
independent of DNS (hey, why use the only existing global operational name
system that already has replicaiton and redundancy, now has reasonable
security and secure dynamic update proposals that should shortly come out as
IETF Proposed Standards, etc.) As long as URN's are merely a concept, its
pretty trivial to list all the wonderful features they are going to have.
And if the first version of URN's doesn't have those features either, you
can always claim a later version will...
There are many real activities going on with URNs. The same could
have been said about DNS security extensions two years ago. But I
don't want to see this turn into flaming. The DNS has a different set
of underlying assumptions than URNs. Fundamentally DNS will not
suffice for a URN server.
See http://www.ncsa.uiuc.edu/People/kerowe/www-ppr for a fuller
description of the issues.
I read that and it is mostly proof by assertion. It also has flatly
wrong information in it. For example it says "www.ncsa.uiuc.edu
cannot have two addresses". This is false. A name can translate into
any number of IP addresses, etc.
The stuff there claims that URN servers will work magic and give
correct responses differently to different requesters based on network
load with no indication of how to practically solve this very hard
problem. A way to do that in DNS is almost universally considered
desireable and if people could have figured out a practical way to do
it, it would be in the DNS.
It's true that secure operation is hard without security. In that
sense, the unsecure DNS is unreliable. But it seems to me that a
secured DNS does something close to what you want. The enormous
emphasis given to the Byzantine Generals Problem in your document does
not seem to have much to do with the practical problems of a practical
operational global name system to me.
If the URN effort is trying to solve many interacting difficult
problems at once and provide everything for everyone, as it appears to
be doing from this paper, then I predict nothing but failure in the
forseeable future. If you can chuck some of these requirements
and accept a 95% solution, there may be hope.
Although not much is happening on this right now, there is a feeling
that a DNS-2 will be needed. There may be some commonality with the
URN effort.
...
Ken.
-------------------------------------------------------------
Kenneth E. Rowe (kerowe(_at_)ncsa(_dot_)uiuc(_dot_)edu)
Senior Security Engineer (217) 244-5270 (Office)
/ Security Coordinator (217) 244-0710 (NCSA IRST)
National Center for Supercomputing Applications
*** email ncsa-irst(_at_)ncsa(_dot_)uiuc(_dot_)edu for computer incident
response ***
Donald
=====================================================================
Donald E. Eastlake 3rd +1 508-287-4877(tel) dee(_at_)cybercash(_dot_)com
318 Acton Street +1 508-371-7148(fax)
dee(_at_)world(_dot_)std(_dot_)com
Carlisle, MA 01741 USA +1 703-620-4200(main office, Reston, VA)