Sunday, July 3, 2005

DNS root

The following needs a bit of polish but you'll get the idea:

Me
disagreeing with Paul Vixie?!?
I guess so. There are justifiable reasons for implementing private DNS
domains, the main one being "community". Or should I say "different
community" or "private community". There are those that like the idea
of not having to play by the rules imposed on them by others.

Paul
Vixie makes a good point for against his own argument when he says "So
what? Everybody wants something. I want a pony. Get over it." I bet
your initial response is to think: "Geez! What an asshole!"

To
be fair, he said that to just make a point. (I hope.) But it's one of
the major reasons that people set up their own communities and practices.
An example of this: fanatical "don't top post" crusaders have caused
mail list/forum splits more than once. Otherwise, there would be one
Perl list (with Tom in it), one security site (with Richard in it), one
political forum (dissenters will be shot!), one operating system (you'd
not be able to add functions either), and one movie list (we'll tell you
what you'll watch).

Yes, another is "money", but you don't have to
play if you don't want to. In fact, those schemes are doomed to fail,
either due to lack of participation or by actions of the-powers-that-be.
(A local here managed the ".biz" domain two years before the powers that
be declared the ".biz" domain to be theirs. She even went before
Congress over the issue. The result: the "official" domain was assigned
to an "official" registrar and the ensuing "switch" caused a lot of
confusion, not to mention emotional responses.

I also take issue with
the "coherency" and the "there can only be one" arguments. Coherency
has never been a basic assumption in the design of the DNS system.
"Trust", yes. "Coherency", no.

The "There can only be one" argument
is fine for those sitting at the top. For those of us near the bottom,
there are good reasons to modify "the rules". For 50K+ users and a
small IT budget, filtering of porn, UCE or malicious code can only be
performed via DNS poisoning (declaring your server as authoritative for
those domains your users shouldn't be going)(or blocking
spyware/malicious code sources).

There also may be a need to set up
private communities. Corporations can (and do) practice "security by
obscurity" by setting up private DNS roots and attaching vhosts to them.
While "security by obscurity" by itself is not a good thing, as an added
layer in "defense in depth", it increases overall security. (Think a
vhost attached to a private domain where the default page responds with
a 404 error. In other words, you have to know about the pseudo root
page to join the community. With added configuration, you have to be
part of the community to "see" the page.)

A non-corporate example of
modifying DNS service for a private community is the UCE-fighting
community's blacklists. As an example, a response to a look up on
"40.30.20.10.relays.mail-abuse.org" means that it's listed as a problem
source. While this service is run within the ".org" domain, it could
just as easily be run under the ".bob" domain. As long as people know
how to configure their DNS services to include ".bob", the service would
be just as employable.

This technique is also used to distribute
public encryption keys, host databases (think phone or address books),
keep track of hardware/software/books, and just about anything else a
private community might need. It's only when that community tries to
"go global" that they run up against "you can't have it, get over it"
crowd.

Paul's response is not necessarily a "bad thing" either. It's
creates an environment for innovation. Invention is not done by "fat &
happy". It's usually performed by someone hungry, curious, frustrated,
seriously bored or even paranoid.

So Paul, with or without your
approval (or help) it's being done. Get over it.