DNS problems and alternatives
Replacing the DNS is a recurrent topic. In this post I try to explain the problems and give a list of existing or proposed alternatives.
Problems of the DNS
A little terminology first : the DNS has two functions, registering and resolving names. Critics of the registration mechanisms are mostly political, resolution problems are mostly technical.
The US government has seized many domain names in November 2011, as it had done the year before. Contrary to what some people said, the ICANN was not involved in those operations. It was Verisign, the operator of the .com, .net, and .name generic top-level domains, that was ordered to seize the domains. As a result, some sites have fled generic TLDs controlled by US companies.
Economic vampirism and domain parking
The DNS is a big profitable business.
The name renting (you can't buy a domain name) business works like this : client → registrar (domain manager) → registry (TLD manager) → ICANN (root manager). Some of these organizations are nonprofit (e.g. ICANN), but that doesn't mean people working for them don't profit (there are high salaries, expensive dinners, trips, etc). Others are corporations that make very good profits[^1].
X.509 certificates are another business. They are delivered by Certificate Authorities and used in TLS. This security model has been widely criticized[^2][^3][^4] and there are plans to put certificates directly in DNS records[^5][^6], and others to replace X.509 by OpenPGP[^7].
Finally, there is the very annoying domain parking business.
Being very old, the DNS also has technical weaknesses.
The first is slow propagation of records because the DNS uses time-based caches.
The second is that records are not stored in a P2P network, but by authoritative servers, which can be taken down by DoS attacks if they aren't sufficiently protected. This is rarely a problem in practice though.
Why haven't the problems been solved yet ?
Well, because different people want things that are contradictory. The problem is often known as Zooko's triangle, but there are in fact more than three desirable properties for identifiers :[^8]
- We want to choose a unique and memorable name so we can communicate it to somebody else even if we don't have our computer with us at the moment. Some people who always have their smartphone with them may argue that this property is not important anymore, but not everybody has a smartphone.
- We want a censorship-free system.
- We want our trademarks to be registered only by us.
- We want links between documents that are stable in time, the Web doesn't like broken URLs.
- We want the registration process to be easy, fast and free of charge.
- We want a name to be resolvable to an address, otherwise it's of no use to us.
- We want names that are recoverable in case of hijacking or loss of credentials.
Existing or proposed alternatives
I can't help but start by my own DNS replacement proposal. The Internet Naming System acknowledges that there is no perfect solution and chooses to keep a central authority for name allocation. It makes censorship automatically detectable but not impossible.
Projects for P2P registration of names :
- Dot-BIT (#namecoin on freenode) uses Bitcoin-like proof-of-work (which assumes that honest nodes have the majority of computing power)
- P2PNS assumes that a vast majority of peers is honest
- IDONS: Internet Distributed Open Name System (forum) seems dead
- #dns-p2p, which used to have a wiki on dot-p2p.org, never gave anything and is dead
Technical solutions for improving resolution :
Other projects :
- OpenNIC (#opennic on freenode, OpenNIC lists) is an alternative root
- Telecomix Censorship-proof DNS (#dns on telecomix IRC)
Other proposals :
- on the p2p-hackers list :
- For a truly acentric Internet, proposes to abandon meaningful identifiers (an old proposition that comes back regularly)
- Problems, Goals and a Fix for Domain Names, proposed to only allow trademarks as TLDs
References and credits
[^1]: Confessions d'un voleur [fr]
[^2]: New Research Suggests That Governments May Fake SSL Certificates
[^3]: It's Time to Fix HTTPS
[^4]: Technical Architecture shapes Social Structure: an example from the real world
[^5]: DNS-based Authentication of Named Entities - IETF Working Group
[^6]: Exposé sur les clés dans le DNS à JRES [fr]
[^7]: The Monkeysphere Project
[^8]: Inventer un meilleur système de nommage: pas si facile [fr]
Thanks to Stéphane Bortzmeyer for helping with this post.