Proposal to extend DNS with Peer to Peer server-independence
Posted 28 Jan 2010 at 20:12 UTC by lkcl 
Google and others have just proposed that DNS be extended. If DNS is
going to be changed in such a minor way, why not do something much more
useful and interesting, which has a fully-functioning implementation
already in prevalent use for over fifteen years on millions of free
software systems? Why not make the DNS protocol a true
server-independent peer-to-peer Naming Service? In combination with the
modern DNSSEC extensions, many of the complaints associated with the
current peer-to-peer free software implementation would vanish.
of _much_ more interest would be to back-port the extensions to DNS that
allowed it to act as a peer-to-peer naming service WITHOUT requiring a
server AT ALL.
what? what is this? DNS without a server, how could this EVER be
possible? what is this madman talking about?
take a close look at RFC 1001 and 1002. you will see that the packet
formats are IDENTICAL to DNS. all that happened was that the zone field
was called "scope", a stupid "mangling" was put onto host names, and an
extra DNS type called "Name Query" was added, which is a bit like a DNS
server "all" query, except it can be sent to any machine.
yes, you guessed it: NetBIOS name resolution was derived originally from
DNS.
by dropping all the stupidities (name mangling, "scope") and making use
of DNSSEC, an update to DNS to become a true server-independent
peer-to-peer service would be absolutely revolutionary.
and the neat thing is that there already exists a free software
implementation on which the changes could be made to work with very
little effort, which is in prevalent use today across millions of free
software machines for at least twelve years: yes, you guessed it, it's
called "nmbd" and it's been part of samba since around 1.9.14 or
possibly even earlier.
...but how do you know what server to contact for this peer-to-peer service when all you have is a name?
Meanwhile, Netbios's name resolution only worked within the local broadcast domain, and subsequently didn't scale worth a damn. Anything beyond that required a so-called WINS server which.. brings us right back to the current situation of a designated server to go to for name resolution.
signing authority?, posted 31 Jan 2010 at 04:30 UTC by phr »
(Journeyer)
Doesn't DNSSEC depend on a signing authority, so a distributed version still wouldn't be decentralized? Of course you could choose your own signers but that would basically give you a bunch of independent DNS authorities, something we already sort of have in the form of Alternet, and which has never gotten any traction.
I don't know if any of the P2P networks out there can be truly called server-independent. AFAIK, Gnutella only became usable when host caches were created. You'd probably need something similar for your proposal to work.
Supernodes, posted 31 Jan 2010 at 16:44 UTC by lkcl »
(Master)
Meanwhile, Netbios's name resolution only worked within the local broadcast domain, and subsequently didn't scale worth a damn. Anything beyond that required a so-called WINS server which.. brings us right back to the current situation of a designated server to go to for name resolution.
the intensely irritating "ZeroConf" and "Avahi" also only work within the local broadcast domain, and are now "ingrained" into free software desktop infrastructure to the point where if you try "apt-get --purge remove *avahi*" it removes dozens of essential desktop packages.
the concept of "supernodes" did not enter peoples' heads until p2p began to develop. certainly it had not occurred either to the microsoft WINS developers to use hierarchical WINS infrastructure, and, as i mentioned in the article, the destruction of the concept of "scope" made it irrelevant for the MS development teams to incorporate either hierarchy or peer-to-peer concepts.
... but that DOES NOT STOP such concepts from being retro-fitted, now, does it? especially now that such concepts ("supernodes") are now well understood?
I don't know if any of the P2P networks out there can be truly called server-independent. AFAIK, Gnutella only became usable when host caches were created. You'd probably need something similar for your proposal to work.
what is really really required is some way to "get into" "the network". you only need one IP address (which would then become completely overwhelmed!) and you are away.
but... DNS already has "well-known" IP addresses, they're called the root (top level) servers! :)
so that problem is "solved". by performing a query if it is even ever necessary (due to extensive cacheing) for the root level servers it will be possible to "jump in" to the p2p network within a local area. down-level servers from the root will provide the nearest "dynamic-NBNS-like" supernode, and you go from there.
Doesn't DNSSEC depend on a signing authority, so a distributed version still wouldn't be decentralized? Of course you could choose your own signers but that would basically give you a bunch of independent DNS authorities, something we already sort of have in the form of Alternet, and which has never gotten any traction.
don't honestly know. DNSSEC is one area i don't have any current knowledge of. i've thought about ways to do PGP/GPG-signed (self-signed) records etc. but beyond that (leveraging the self-signed records) i'm not sure where you'd go from there.
... but.. yeah. thinking about it: what, ultimately, would be wrong with having a bunch of independent (Dynamic-)DNS authorities? you wouldn't trust them a damn for "static" DNS but what _actually_ is wrong with having independent DNS "groups"?
you could consider looking up a (Dynamic-)DNS record with several of those groups, and arrive at the correct IP address by consensus, for example! :)
or, you could have one country say "stuff the root DNS as defined and dictated by the U.S., we mandate... ooo... this Certificate as being authoritative" !
:)
First, ZeroConf is not LLDNS/mDNS/Bonjour. ZeroConf is about adhoc addressing. Avahi happens to implement both.
Second, there is nothing in Bonjour to prevent you from giving out a DNSSEC signing tree to the other party across the local link.
I don't really understand the point here.
Supernodes/caches only help if you have a clearly defined way of figuring out who is authoritative for a name. DNS makes that hierarchical.
If you want to send DNS requests through some kind of p2p to get name resolution, rather than following NS records, do so... DNSSIG RR in the reply would provide an assurance that you are getting the right answer.
But, what does all of this gain?
i'm thinking ahead.
what happens when the internet becomes fragmented? what happens when you can no longer reach critical root nodes? what happens when internet routing is so sporadic that reaching DNS servers is severely problematic? what happens when there's a "cyberwar" and countries _deliberately_ shut down large section of internet infrastructure in order to "protect" their "assets"? what happens when "cyberwars" are actually successfully executed and the target countries infrastructure is undermined? what happens when a country decides it no longer wants to respect the peering arrangement? what happens when a country decides it no longer wants to respect any of the rules?
how do you cope with any of these things, when the most critical part - the DNS - is concentrated in the hands of a few corporations, in direct violation of the principle of defense-in-depth?
Why names, posted 13 May 2010 at 00:59 UTC by ilgiz »
(Journeyer)
The idea of DNS assumed that network interfaces could be identified by assigning names to them. Now we have a DNS protocol that satisfies both the original requirement and the need of IPv4 protocols in numeric destination addresses. IPv4 networks rely on routers to physically deliver packets based on their numeric destination address. The routers rely on the underlying 6-byte ethernet addresses which may be requested with or sniffed from the ethernet level ARP protocol.
It appears to me that the idea of assigning unique names to hosts implied hierarchical name resolution.
Perhaps, hierarchical naming was not the only way to satisfy the requirement: to physically deliver a packet to a known machine. I can imagine a "postal", or "geographical" naming scheme where global routers know only about countries in the destination address and local routers maintain a more specific information about machines in the neighbourhood.
Re: Why names, posted 13 May 2010 at 01:13 UTC by ilgiz »
(Journeyer)
(So a postal name could still have a global registry of known short-cuts such as "Google" or "Microsoft", but generally look like "Russia, Уфа, улица Зорге, д. 4, кв. 26". Mobile and virtual interfaces could have their provider-specific registries with names such as "Canada, Telus Mobility, 519-999-999" or "Australia, Rimuhosting, <VPS name chosen by the user>".)
Re: Re: Why names, posted 13 May 2010 at 01:16 UTC by ilgiz »
(Journeyer)
Advogato's trust metrics could be applied to the new "postal" routers to discard spoofing attempts early.
This has great potential and something i have been pondering for a while, drop me a message if you want to work on this more.
[ Home | Articles | Account | People | Projects | FAQ ] 
del.icio.us
Digg
Google bookmark
reddit
Simpy
StumbleUpon
Furl
Newsvine
Technorati
Tailrank