DNS problems and alternatives

Replacing the DNS is a recurrent topic. In this post I try to explain the problems and give a list of existing or proposed alternatives.

Problems of the DNS

A little terminology first : the DNS has two functions, registering and resolving names. Critics of the registration mechanisms are mostly political, resolution problems are mostly technical.

Censorship

The US government has seized many domain names in November 2011, as it had done the year before. Contrary to what some people said, the ICANN was not involved in those operations. It was Verisign, the operator of the .com, .net, and .name generic top-level domains, that was ordered to seize the domains. As a result, some sites have fled generic TLDs controlled by US companies.

Economic vampirism and domain parking

The DNS is a big profitable business.

The name renting (you can't buy a domain name) business works like this : client → registrar (domain manager) → registry (TLD manager) → ICANN (root manager). Some of these organizations are nonprofit (e.g. ICANN), but that doesn't mean people working for them don't profit (there are high salaries, expensive dinners, trips, etc). Others are corporations that make very good profits1.

X.509 certificates are another business. They are delivered by Certificate Authorities and used in TLS. This security model has been widely criticized234 and there are plans to put certificates directly in DNS records56, and others to replace X.509 by OpenPGP7.

Finally, there is the very annoying domain parking business.

Technical problems

Being very old, the DNS also has technical weaknesses.

The first is slow propagation of records because the DNS uses time-based caches.

The second is that records are not stored in a P2P network, but by authoritative servers, which can be taken down by DoS attacks if they aren't sufficiently protected. This is rarely a problem in practice though.

Why haven't the problems been solved yet ?

Well, because different people want things that are contradictory. The problem is often known as Zooko's triangle, but there are in fact more than three desirable properties for identifiers :8

Existing or proposed alternatives

I can't help but start by my own DNS replacement proposal. :) The Internet Naming System acknowledges that there is no perfect solution and chooses to keep a central authority for name allocation. It makes censorship automatically detectable but not impossible.

Projects for P2P registration of names :

Technical solutions for improving resolution :

Other projects :

Other proposals :

References and credits

Thanks to Stéphane Bortzmeyer for helping with this post.


  1. Confessions d'un voleur [fr] ↩

  2. New Research Suggests That Governments May Fake SSL Certificates ↩

  3. It's Time to Fix HTTPS ↩

  4. Technical Architecture shapes Social Structure: an example from the real world ↩

  5. DNS-based Authentication of Named Entities - IETF Working Group ↩

  6. Exposé sur les clés dans le DNS à JRES [fr] ↩

  7. The Monkeysphere Project ↩

  8. Inventer un meilleur système de nommage: pas si facile [fr] ↩

Comments

Add a comment