×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Peter Sunde Wants To Create Alternative To ICANN

Soulskill posted more than 3 years ago | from the icann-see-why dept.

The Internet 276

An anonymous reader writes "According to Peter Sunde's Twitter feed, he has been suspicious of ICANN for a long time. The non-profit corporation is tasked with managing both the IPv4 and IPv6 address spaces as well as handling the management of top-level domain name space including the operation of root nameservers. Sunde has lost a domain in the past because of the way ICANN acted. It was taken without any consultation on their part, instead the organization relied on information from recording industry group IFPI to change the domain ownership. But it seems for some reason his frustration has come to a head recently, and he has put a call out for help to create a competing root server."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

276 comments

You can't compete with root. (4, Insightful)

LostCluster (625375) | more than 3 years ago | (#34382790)

The ROOT domain system is just that, it's trusted because well, if we didn't trust somebody at #1 this whole thing wouldn't work. You can't have a competing .com, .net, .org registry... sure, you could declare your own TLD and be root of that but, well, we don't trust you as much as we trust ICANN because, well, they've been root for a while now and haven't blown it that badly.

Re:You can't compete with root. (3, Insightful)

bbtom (581232) | more than 3 years ago | (#34382900)

If redirecting NXDOMAIN to partnered search results pages and killing a bunch of anti-spam scripts and endorsing ridiculously stupid shit like .eco, .xxx, .jobs and .tel happen wasn't enough for ICANN to have "blown it", complying with a Department of Homeland Security request to remove a bunch of domains that contained material that infringes copyright should be the nail in the coffin for the useless stuffed shirts at ICANN.

ICANN is really a perfect example of where a bunch of wise-beard Unix hacker types could do a better job than the corporate whores currently doing it could. Or better yet, a proper distributed alternative to DNS.

Re:You can't compete with root. (4, Informative)

Glendale2x (210533) | more than 3 years ago | (#34382982)

If redirecting NXDOMAIN to partnered search results pages

VeriSign != ICANN

Re:You can't compete with root. (0)

Anonymous Coward | more than 3 years ago | (#34383240)

If redirecting NXDOMAIN to partnered search results pages

VeriSign != ICANN

And why didn't ICANN start the process of "firing" VeriSign immediately after the incident?

IETF, IANA, the RIRs, etc. all seem to work well without to have some legal entity with a bunch of corporate bullshit. The suits have managed to royally fuck things up at ICANN.

I agree with the GP: money has generally corrupted the process which should be a simply technical matter of updating a simple list of TLDs as countries have come and gone according to ISO 3166-1 alpha-2. The bureaucracy has started to serve itself.

Re:You can't compete with root. (5, Informative)

mysidia (191772) | more than 3 years ago | (#34383546)

And why didn't ICANN start the process of "firing" VeriSign immediately after the incident?

That was what was going to happen [icann.org] . Instead, something very strange happened. The final outcome was that ICANN SETTLED with VeriSign. But this was kind of like the Google books settlement, in that the settlement was EXTREMELY FAVORABLE to VeriSign.

Prior to this settlement, the .COM / .NET registry was a FOR BID contract that would come up for bidding and renewal every 6 years. The registry price was capped at $6 per domain per year under the contract at the time.

In the settlement ICANN agreed to guarantee to renew their contract at the end of the term, unless it is proven that VeriSign substantially breaches the new contract, they have the contract perpetually. [paraphrasing], "For the sake of Internet stability" (as ICANN people put it)

The settlement from the SECSAC process also Gave NSOL the right to raise prices. The settlement gave them the right to raise prices 7% 4 out of 6 years of every contract term after 2007, with no cost justification needed.

The VeriSign/Network Solutions Internic can raise prices all 6 years of the contract term, if they provide a cost justification for 2 of those years. In 2010 they raised prices for .COM and .NET domains, and publicly someone indicated a cost justification of "Increased number of DNS lookups being performed" (against .COM and .NET registry servers)

I think 5 years from now, .COM and .NET TLDs will be prices by the registry at approximately $12 instead of approximately $8. We can look forward to paying $100 per year to the cheapest registries to renew .COMs, within this decade or the next, just like it used to be before competitive registrars.

Oh right... "competitive registrars" doesn't matter much, when there is a for-profit global registry everyone has to pay who has a guaranteed right to raise prices, and a guaranteed right to not get fired, because a legal settlement means ICANN legally cannot bring the contract up for bid, unless NSol screws up.

Re:You can't compete with root. (1)

Glendale2x (210533) | more than 3 years ago | (#34383558)

If redirecting NXDOMAIN to partnered search results pages

VeriSign != ICANN

And why didn't ICANN start the process of "firing" VeriSign immediately after the incident?

IETF, IANA, the RIRs, etc. all seem to work well without to have some legal entity with a bunch of corporate bullshit. The suits have managed to royally fuck things up at ICANN.

I agree with the GP: money has generally corrupted the process which should be a simply technical matter of updating a simple list of TLDs as countries have come and gone according to ISO 3166-1 alpha-2. The bureaucracy has started to serve itself.

ICANN did assert that they overstepped their authority, and VeriSigned later sued ICANN.

Re:You can't compete with root. (2, Informative)

Anonymous Coward | more than 3 years ago | (#34383242)

Verisign should have lost their root server assignment 10 years ago. Between their wildcard allocation for *.com a few years back, their pitiful handling of IPv6, their pretense at innocence when they assign domain authorities to spam hosting domains, their support of "reserving" domains by abusive registrars who blackmail people who search domains to see if they're available, and their refusal too cooperate with domain owners who want to reliable provide reverse DNS, they're not competent and their effective monopoly should be transferred.

Re:You can't compete with root. (3, Informative)

mysidia (191772) | more than 3 years ago | (#34383580)

their refusal too cooperate with domain owners who want to reliable provide reverse DNS

What the heck are you talking about? What is your beef with their reverse DNS handling?

This is a IANA / RIR function, and I have never seen any issues or mishandling of RDNS by the registry.

Re:You can't compete with root. (4, Interesting)

mysidia (191772) | more than 3 years ago | (#34383404)

If redirecting NXDOMAIN to partnered search results pages and killing a bunch of anti-spam scripts

You mean an anti-spam technique (of fairly limited effectiveness) of reverse path validation, through making extra domain lookups for the forward DNS hostname of the Return Envelope, not called for by the SMTP RFCs, which also place extra (unwanted) load on DNS servers?

Please don't confuse ICANN with Network Solutions / Verisign (Sitefinder). By the way, the SiteFinder Fiasco you refer to ended when ICANN was going to file a lawsuit Network Solutions over "sitefinder" and reached a settlement. Settlement: ICANN agreed to discontinue the sitefinder service / stop wildcard resolving immediately, and will seek permission under ICANN rules before introducing any new service such as that.
But, in Exchange, as part of this settlement, NSol's contract to be operator for the .COM / .NET TLDs was changed so ICANN guarantees to renew the contract perpetually at the end of every contract term (Unless there is a proven breach), AND, also, the settlement gave Network Solutions a right to increase prices 7% every 4 out of the 6 years of every contract term after 2007, with no justification.

NSol can increase prices in 6 out of 6 years, if a cost justification is given in 2 of those years.

Note that back in 2007, .NET and .COM prices were capped by the registry at $6. Today they are approximately $8. Domain prices per-domain are getting more expensive, and the stated justification is "higher volume of DNS queries", what do you think about that?

So the whole 'sitefinder thing' was a win win win for Network solutions, because ICANN essentially got themselves a free perpetual contract, which ICANN justifies on the basis of "A perpetual contract provides greater stability for the Internet"; neverminding the fact the contract becomes less favorable for the community every year NSol chooses to raise prices.

Still... things are "stable", and doesn't matter that much that NSol got rewarded for their attempted sitefinder moneygrab does it?

endorsing ridiculously stupid shit like .eco, .xxx, .jobs and .tel happen

Apparently it wasn't that 'stupid'... I mean, someone had to pay $50,000 just to apply, and put significant capital down to have a registry that would meet ICANN's minimal technical standards for a stable registry. The letters in the TLD are just one factor; the decision to 'add a TLD' or not are almost all about the technical aspects of a proposed TLD and how many sites and domain registrars are interested in the TLD.

complying with a Department of Homeland Security request to remove a bunch of domains that contained material that infringes copyright should be the nail in the coffin for the useless stuffed shirts at ICANN.

ICANN just defines the rules and contracts the registry services, I believe you are again blaming ICANN for an individual registrar and US government thing

ICANN is really a perfect example of where a bunch of wise-beard Unix hacker types could do a better job than the corporate whores currently doing it could. Or better yet, a proper distributed alternative to DNS.

Now there's something we can agree on. Unix hacker types could do better, if only they could get the financing, and backing from the corporate types.

It would probably be good enough though to have an association serving a different group of corporate whores.... for example, ISPs instead of the WIPO, RIAA, registrar, pro-squatter , and pro-advertising/pro-marketing folks.

Re:You can't compete with root. (3, Insightful)

Daniel Dvorkin (106857) | more than 3 years ago | (#34383538)

ICANN is really a perfect example of where a bunch of wise-beard Unix hacker types could do a better job than the corporate whores currently doing it could.

Almost everything in the world currently being done by corporate whores could better be done by wise-beard Unix hacker types; the tiny number of things that couldn't, aren't worth being done at all.

Re:You can't compete with root. (3, Insightful)

Nursie (632944) | more than 3 years ago | (#34383562)

"You can't have a competing .com, .net, .org registry"

Sure you can. Did you young folks never hear of AlterNIC ?

(OK, you young folks might be an exaggeration, you have a slightly lower UID and I'm only 32, but still)

All you have to do is persuade people to use your name servers instead of the normal ones. There's an infrastructure cost associated with that of course, but there it is. ICANN might kick and scream and maybe even sue, but there's nothing to stop the net being usurped by an enterprising newcomer. It would lead to namespace fragmentation and all sorts of interesting user effects, but it's a possibility.

I quite like the idea of us geeks using one lot and the general public using another. They can have their own internet with the facebooks and packet shaping and the september that never ends. And we'll have ours and reset it to 1995 style...

Sour grapes? (1, Insightful)

Meshach (578918) | more than 3 years ago | (#34382792)

Sounds like Peter Sunde is bitter at his lost domain. If it ain't broke don't fix it.

Re:Sour grapes? (2, Funny)

LostCluster (625375) | more than 3 years ago | (#34382840)

ICANN declares man loser, loser vows to replace ICANN. Details at 11, or at 10 on that UHF station we co-own.

Re:Sour grapes? (3, Insightful)

Gonoff (88518) | more than 3 years ago | (#34383020)

If it ain't broke don't fix it.

I think he feels that it is broke.
I think a big problem is that ICANN gives too many questionable organisations too much say into what happens. I include in that list, MPAA RIAA and their alternatives in the remaining 96% of the planet, various spooks and one particular national government.
I suspect people here can think of many more names...

Re:Sour grapes? (2, Insightful)

LordLimecat (1103839) | more than 3 years ago | (#34383372)

Wait, so a bunch of spooks and RIAA and MPAA folks have their claws into the ICANN, and the ICANN just revoked access to "one of Sunde's domains" (mysteriously unnamed!!!), but Pirate bay remains online.

We're supposed to extrapolate from this that there is a domain of Sunde's that the MPAA / RIAA want offline MORE than pirate bay? Riiiiiiight. How about telling everyone what domain it was so we can judge for ourselves whether or not ICANN is acting in bad faith; I may not trust the MPAA / RIAA, but Im not entirely sure I want to take the word of the guy running pirate bay, either.

Re:Sour grapes? (4, Insightful)

Skal Tura (595728) | more than 3 years ago | (#34383686)

How about this? The Pirate Bay is too public to pull of a stunt like this, but some less known domains (like the ones seized a few moments ago) spurr less activism against it, so they can slowly roll it in and make it a norm. (like the antiterrorism bullshit going around)

Re:Sour grapes? (1)

Darinbob (1142669) | more than 3 years ago | (#34383926)

If it's broke we should fix it. But that doesn't mean letting self proclaimed pirates be in charge, much less be the root of a "trusted" chain.

Re:Sour grapes? (0)

Anonymous Coward | more than 3 years ago | (#34383314)

It took me a while to figure out that this is the same Peter Sunde behind The Pirate Bay. The same one who has been sentenced to jail time in Sweden for it.

So he's crying about the IFPI seizing his file sharing domain... cry me a river.

Re:Sour grapes? (2, Informative)

Rijnzael (1294596) | more than 3 years ago | (#34383354)

He's "crying" about them stealing a domain he legally paid for [slyck.com] .

Re:Sour grapes? (1)

MightyYar (622222) | more than 3 years ago | (#34383604)

First, he didn't pay for it - it was given to him. But that's not really germane.

The main point is that they didn't "steal" it. He put up a BS site to try and claim the initials IFPI after the real IFPI forgot to renew. This would be like lucking into the coke.com domain and then creating an organization called Computer Organization of Knowledge and Education to provide an excuse to hold it.

In my opinion, the whole nissan.com debacle is a much more abusive situation. Nissan has been suing this poor guy for over 10 years, even though he sells computers rather than cars! He's won so far, but at considerable cost.

Re:Sour grapes? (3, Insightful)

Skal Tura (595728) | more than 3 years ago | (#34383710)

the IFPI organization doesn't have any more right to the domain than sunde did.

Leaving it unrenewed is their friggin' problem, not anyone elses. No average joe can go bitch "that dude stole my domain!", "It says here you didn't renew it", "So what, it's mine! I forgot!", why should MAFIAA have that right?

Re:Sour grapes? (1)

camperdave (969942) | more than 3 years ago | (#34383606)

He's crying about a domain that was transferred to him by some cyber-vulture who swooped in and grabbed it after the IFPI forgot to renew it. The Pirate Bay was found to have registered the domain in bad faith (the domain cannot be used to cause confusion with the "Complainant's mark"), and it was returned to its original owner.

Sorry, but I don't see a foul here.

Badly Broken, but Can't Be Fixed (1)

billstewart (78916) | more than 3 years ago | (#34383720)

ICANN isn't in the Internet Protocol business, they're in the Intellectual Property business. It's about Trademark Control Protectionism, not Transmission Control Protocol. And the people who run the real root servers don't work for ICANN, but they do cooperate with them, and any attempts at alternate roots failed years ago, for reasons that aren't going to change.

Furthermore, if you want to start an alternate naming business, you can hang it off the existing DNS structure as myroot.someTLD so real people can find it, and then try convincing customers that they should buy theirname.yourTLD.myroot.someTLD from you because 0.0001% of the population can access it as theirname.yourTLD using your root. If you've got a spare couple hundred thousand dollars, write up a proposal to ICANN about why your project is cool enough and they might sell you your own real TLD, but the catch is that "competing with ICANN" isn't a business plan they're interested in, and
"selling names in a .sex TLD for Profit" is a plan that other people with far more money than you have already been trying to sell them on.

If you don't like that, you could try buying a country code TLD from some small country. Most of the good ones already realize their commercial value, and ICANN has been trying to bully all the CCTLD administrations for years, with some success, and a lot of random small countries end up deciding that they don't like the business plan you've spent big bucks promoting because they're Islamic Republics and they're shocked to discover that there's porn on the internet, though in some cases they can become less shocked for a sufficiently large cut of the profits. But maybe you'll think up a clever naming convention that you can sell to somebody; it can't be clunkier than bit.ly.

Do it! Do it now! (5, Interesting)

wierd_w (1375923) | more than 3 years ago | (#34382794)

An alternative name registry service would do wonders to cripple the whole "internet censorship" bandwagon that has been going on recently. Blacklists? Rendered at the very least 2X as difficult to implement on a national scale, simply because the clients you are attempting to prevent from accessing content can reach that content by using the alternate name resolution service.

It would make measures like the Australian blacklist falderall all that much more difficult to actually pull off, and would render efforts like COICA similarly difficult.

Do it. Do it now.

Re:Do it! Do it now! (5, Insightful)

gclef (96311) | more than 3 years ago | (#34382860)

Messy. Question: which root do you ask for google.com? All of them? What if they reply with different addresses...which one's right? The fact that there aren't good answers to these questions is a big part of why we've tried to avoid splitting the DNS roots.

Re:Do it! Do it now! (3, Interesting)

wierd_w (1375923) | more than 3 years ago | (#34382930)

Take the recent "seizures" of torrent sites by the US government; In order for the government to keep track of DNS entries that it has "Confiscated", it has to apply it to easily identifiable name servers. (In this case, something along the lines of "Seized.xxxx.NS") Since it would become an administrative nightmare to NOT use some form of naming convention for such "Blocked" sites, it should be fairly simple to resolve "Which" IP addresses and name servers to accept as entries/accept entries from.

If the two IPs match, Good for you.

If they dont, does one get resolved by a "blacklist placeholder" NS? If so, ignore that entry and use the redundant one.

If they dont, and neither points to a known placeholder, "ASK", allow the user to try both and then pick the appropriate one.

Re:Do it! Do it now! (4, Insightful)

gclef (96311) | more than 3 years ago | (#34382984)

Skip the government part (though, honestly, I see no reason why they'll operate the way you think they will)...what about businesses? For example: Apple.com. There are several companies that can claim honest ownership of the "apple" name as a business title (apple computers, apple records, etc). If each of them buys the apple.com name in a different root, which one's "right"? All of them have reason to argue they are...do you expect users to have to surf to all of them one by one to find the "right" apple.com? Seriously? So now the users have to know about all possible DNS roots? yuk.

You seem to be assuming that the DNS with multiple roots will have very few name collisions except for government-caused ones...I don't think that's a safe assumption at all.

Re:Do it! Do it now! (2, Interesting)

wierd_w (1375923) | more than 3 years ago | (#34383066)

Easily enough resolved with a firm root-level policy:

Mirror ICANN, EXCEPT for blacklists.

The idea is a not-for-profit alternate root. Not a "For profit" alternate root.

Re:Do it! Do it now! (3, Interesting)

gclef (96311) | more than 3 years ago | (#34383120)

If you're just going to mirror ICANN's root, why bother? (And why would ICANN or anyone tell you what the blacklisted domains are? They'll just drop them from the list of registered domains.)

Re:Do it! Do it now! (1)

LordLimecat (1103839) | more than 3 years ago | (#34383430)

Cant we just check for the evil bit in the DNS responses? If 1, drop the response, if 0, accept it in the mirror....

Re:Do it! Do it now! (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34383718)

You would be making the mistake anyone who wants an alternate root gives a crap about any commercial organisation.
We as humans deal with name space collisions every day, with our very own names, I think if we can handle it in real life, we can deal with it on here.
As with all open source things, you are free not to participate, but you can always join later.

Re:Do it! Do it now! (1)

LordLimecat (1103839) | more than 3 years ago | (#34383420)

Im not sure I agree with the assumption that is the cornerstone of your argument:

In order for the government to keep track of DNS entries that it has "Confiscated", it has to apply it to easily identifiable name servers.

What makes you think this is the case? Why cant they simply store that info in a database?

Re:Do it! Do it now! (2, Insightful)

OverlordQ (264228) | more than 3 years ago | (#34383458)

If they dont, and neither points to a known placeholder, "ASK", allow the user to try both and then pick the appropriate one.

How is this supposed to work? I could register facebook.com put up a phishing page that looks exact the same and then if we used your system, how does the user know which one is right?

Re:Do it! Do it now! (2, Interesting)

dch24 (904899) | more than 3 years ago | (#34382964)

Yeah, messy.

To identify google.com, use dnssec. To identify trusted root certs, either use the ones that come with your browser (just like SSL) or add/remove certs manually.

Ok, I can think of immediate issues with that. All I'm saying is, not that hard to solve.

So, problems with using a certificate store, like the one that comes with your browser:

Re:Do it! Do it now! (2, Informative)

wierd_w (1375923) | more than 3 years ago | (#34383016)

I suppose the first one could be overcome with some local CA blacklists. (why Mozilla accepts a chineese CA I dont know. Seems suicidal.)

The RST packet issue becomes difficult to address without implementing some kind of homebrew device to sit between your router and your private network, that does DPI to look for the RST signals and filter them, then do some creative ACK to make sure the sender didn't send a legitimate one. This would slow network access when ATT sends the abusive RST packets, but slow is better than unstable.

With modern linksys firmware hacks being available, such an approach could be implemented into the router itself. It would be an interesting thing for the router to automatically log and report on too.

Re:Do it! Do it now! (2, Insightful)

gclef (96311) | more than 3 years ago | (#34383094)

DNSSec, won't solve the multiple-root problem, though. If each root has a separate trust entry point, and the sub-entries are correctly signed, you won't be able to tell which one's accurate, just that the answers are verified by the root. You'll still be left with very confused users.

This happens today with SSL, it's just harder to see: if two different SSL registries issue certs for "google.com", which one's right? If you trust both of them, then the answer is "both." The same will be true for the multiple DNS roots if they use DNSSec: you'll be able to tell for certain that the answer is correct from the point of the root, but which root is *right* will be far less clear.

Re:Do it! Do it now! (2, Informative)

LostCluster (625375) | more than 3 years ago | (#34383086)

Yep, and that's the reason why we have ISP DNS, Google's 8.8.8.8 offering and OpenDNS all offering lower-tier servers so if you want to know where Google.com went, you can ask Google. Most of the DNS fouls such as taking all NXDOMAINs and returning a "search portal" are done by the low-level guys, not ICANN.

Re:Do it! Do it now! (1)

MagicM (85041) | more than 3 years ago | (#34383338)

Question: which root do you ask for google.com? All of them? What if they reply with different addresses...which one's right?

Given the fact that there are thirteen root servers [wikipedia.org] , those are actually very good questions. Do you know the answers?

Re:Do it! Do it now! (2, Insightful)

gclef (96311) | more than 3 years ago | (#34383548)

But they all (intentionally, and by design) respond with the *same* *data*. The fact that there are 13 of them doesn't change the fact that there is only one root *zone*. What's being proposed is having different root zones, and so the assumption that the different roots will answer with the same information goes out the window.

Re:Do it! Do it now! (0)

Anonymous Coward | more than 3 years ago | (#34383466)

Easy whichever is quickest! or have a personalised weighting system.

Re:Do it! Do it now! (1)

BCoates (512464) | more than 3 years ago | (#34383624)

You're right, there is no objective way to say which is the "correct" google.com, you have to have some trusted body giving out monopolies on individual names. But that's not the problem that needs to be solved: the problem here is the body revoking names afterwards.

I think that it *is* possible to create a system where names are assigned permanently and can't be taken back. It might look something like this:

1. You buy example.com in the traditional manner from an untrusted legacy registrar.
2. You generate yourself a public/private keypair, and with it claim ".hash" or somesuch. These domain names won't collide and you can prove your ownership with a digital signature.
3. Any of several partly-trusted CAs signs a non-expiring DNS record pointing example.com to .hash.
4. Said CA retires their certs rapidly, say weekly, and publishes the entire list of signed DNS records somewhere publicly accessible. Each signature links to the next in a manner that proves they have signed no other records with that cert. (*)
5. You upload your signed example.com record to both the legacy DNS and a secure hash-based p2p network. (**)
5. You upload a regular, updatable/expiring DNS record for .hash into said network as well.
6. Upon doing DNS lookup, DNS servers ask the p2p network for valid, signed records; if they exist they are cached and the legacy DNS is not consulted. If not (or more likely in parallel), legacy DNS is asked and if a valid, signed *.hash redirect is found it's cached and reinserted into the p2p network (hopefully forever). Only if no signed records at all are found is the old, vulnerable record used.

If ICANN/the department of louis vitton/whoever tries to hijack the domain name, they'll only do so for users not on the new system. Upgraded users will ignore the change.
If the CA tries to make forged records to redirect your permanent redirect it will be invalid (if done after the fact) or publicly detectable (if done in advance).
If you're running a security-aware DNS client and your middle-tier DNS server is up to shenanigans the certs won't verify.

The best part is this could be done from the middle-out without the consent of ICANN or need to reconfigure client devices--you just need one upgraded DNS server anywhere in the hierarchy above you.

There is no possible after-the-fact ambiguity over who owns the name so long as all the CAs get together and promise not to re-assign an already used name (which would be detectable and should result in them being banned from making further assignments)

(*) I think this is a solved crypto problem and a workable solution is described in the 1996 version of Bruce Schneier's Applied Cryptography but I don't remember where I put it
(**) This is a theoretically a solved problem and mostly solved in practice

Re:Do it! Do it now! (2, Insightful)

interkin3tic (1469267) | more than 3 years ago | (#34383098)

An alternative name registry service would do wonders to cripple the whole "internet censorship" bandwagon that has been going on recently. Blacklists? Rendered at the very least 2X as difficult to implement on a national scale, simply because the clients you are attempting to prevent from accessing content can reach that content by using the alternate name resolution service.

For five minutes or less before the proponents of the blacklist say "This goes for those guys too."

Re:Do it! Do it now! (0)

Anonymous Coward | more than 3 years ago | (#34383190)

Even if there was an alternative to the current DNS system of lookups, who says that we'd even be "allowed" to use it? There are already accusations of alternative DNS blocking by ISPs [washingtonpost.com] .

Re:Do it! Do it now! (2, Insightful)

c0lo (1497653) | more than 3 years ago | (#34383196)

It would make measures like the Australian blacklist falderall all that much more difficult to actually pull off, and would render efforts like COICA similarly difficult.

Do it. Do it now.

If it is for making the Big Brother's job slightly more difficult, until yet-another-TDL-DNS gets created, maybe you can trust some OpenNIC [opennicproject.org] DNS-es? Just asking.

Re:Do it! Do it now! (1)

LordLimecat (1103839) | more than 3 years ago | (#34383398)

Except blacklists arent being aplied at the root DNS level last time I checked, so its pretty irrelevant. Youre looking for a solution to a problem that doesnt exist. Australia can simply filter dns responses as they reach the mainland, since theres only one or two lines entering the country. Even if you have alternative roots in Australia, the ISP can filter stuff as it heads towards your modem.

Changing DNS settings will never be the fix for censorship unless the person censoring hasnt yet gotten out of networking 101.

Static IPv6 addresses for everyone. (5, Interesting)

steeleyeball (1890884) | more than 3 years ago | (#34382808)

No more of this Pansy DNS crap. Know your IP address like you know your phone number. Cut these clowns off at the legs. Free the net to the people who know how to use it and won't download viruses to their own computers thinking it's antivirus software... Take charge by taking responsibility from those who don't care and don't know!

Re:Static IPv6 addresses for everyone. (2)

SanityInAnarchy (655584) | more than 3 years ago | (#34382856)

Know your IP address like you know your phone number.

You mean like how I don't know it at all? That's what address books are for, and DNS is a gigantic global address book.

Re:Static IPv6 addresses for everyone. (2, Informative)

0123456 (636235) | more than 3 years ago | (#34382912)

That's what address books are for, and DNS is a gigantic global address book.

Except other people keep coming in and changing your address book so you go to visit your mother and end up at some porn store or the DHS instead.

The centralised nature of DNS has been a huge flaw in the Internet for a long time, and it should really be replaced. The problem is coming up with a better solution.

Re:Static IPv6 addresses for everyone. (2)

Obfuscant (592200) | more than 3 years ago | (#34383192)

...so you go to visit your mother and end up at some porn store or the DHS instead.

My mother runs a porn store on the second floor of the local DHS building, you insensitive clod.

Or "in Russia, going to porn store results in visit to mother."

Whatever.

Re:Static IPv6 addresses for everyone. (0)

Anonymous Coward | more than 3 years ago | (#34383254)

In Soviet Russian porn store, mother visits you.

Re:Static IPv6 addresses for everyone. (0)

Anonymous Coward | more than 3 years ago | (#34383630)

Yeah, I love that one too.

Re:Static IPv6 addresses for everyone. (1)

SanityInAnarchy (655584) | more than 3 years ago | (#34383818)

The problem is coming up with a better solution.

Indeed.

And I really can't think of a better solution which lets me type slashdot.org and have a reasonable expectation of actually getting to slashdot.

Re:Static IPv6 addresses for everyone. (2, Insightful)

Demonantis (1340557) | more than 3 years ago | (#34383038)

It was called internic and it could easily come back because of this. Especially for sites the government is trying to block. The next most likely thing would be multiple DNS networks and everyone just gets used to having to switch depending on what they want to go to. Could easily be rectified at the browser level by "dialing in" that session's DNS ip. Eventually the most bipartisan DNSs would get used the most. ISPs would actively pursue an effective DNS system to maintain their consumer base in areas with no monopoly. There is nothing limiting there being many DNSs other then the fact that consumers would have to learn more about how the internet actually makes the magic happen and the general confusion that would ensue from that. Plus all the phishing of domain names.

Re:Static IPv6 addresses for everyone. (3, Insightful)

Mitchell314 (1576581) | more than 3 years ago | (#34383124)

Look, there's no way you're going to convince me to remember one IP6 address, let alone a bunch of them. That's 32 hexadecimal digits.

Re:Static IPv6 addresses for everyone. (1)

camperdave (969942) | more than 3 years ago | (#34383660)

Look, there's no way you're going to convince me to remember one IP6 address, let alone a bunch of them. That's 32 hexadecimal digits.

I prefer to think of it as eight "quads".

Re:Static IPv6 addresses for everyone. (1)

LordLimecat (1103839) | more than 3 years ago | (#34383484)

Free the net to the people who know how to use it and won't download viruses to their own computers thinking it's antivirus software...

I do IT work for a living, and I dont even know my routers IPv6 address.... what on EARTH makes you think people will want to keep a list of those?

Has it even occurred to you that there are dozens of legitimate IT reasons to use DNS? Like, say, not having to reconfigure all of your VPN clients every time you do an ISP change? Or enabling your finance folks to use email on the road through a web browser?

And while we're at it, you do realize a vast vast vast majority of virus infections do NOT come from people manually downloading and installing viruses, right? That most are from plugin exploits?

Re:Static IPv6 addresses for everyone. (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34383698)

Know your IP address like you know your phone number. Cut these clowns off at the legs. Free the net to the people who know how to use it and won't download viruses to their own computers thinking it's antivirus software... Take charge by taking responsibility from those who don't care and don't know!

I love it!
Don't go to mybank.com anymore. Go to http://FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF/
BUT BEWARE! http://FFFF:FFFF:FFFF:FFFF:FFFF:FFEF:FFFF:FFFF/ is a phishing site - you don't want to go there.

But... (0)

Aerorae (1941752) | more than 3 years ago | (#34382812)

FTA-
"His plan involves the creation of a dns root server to begin with that uses PEER-TO-PEER technology and is SECURE"

uh...I'm pretty sure those two things normally don't go together...

Re:But... (3, Informative)

Josh Triplett (874994) | more than 3 years ago | (#34382924)

Many secure peer-to-peer systems exist, generally based on cryptography; often they provide more security than centralized systems.

For instance, Tor [eff.org] uses secure cryptography to provide anonymity in a way that just wouldn't work in a centralized system. i2p [i2p2.de] uses cryptographic security as well.

Re:But... (1)

Daniel Phillips (238627) | more than 3 years ago | (#34382934)

"His plan involves the creation of a dns root server to begin with that uses PEER-TO-PEER technology and is SECURE"

uh...I'm pretty sure those two things normally don't go together...

I don't know where you got that idea from, have you never heard of network of trust?

Re:But... (1)

icebraining (1313345) | more than 3 years ago | (#34382952)

Sure they do. See Tor, I2P or Freenet.

Re:But... (0)

Anonymous Coward | more than 3 years ago | (#34383602)

Amen.

I wish someone would hurry up and right a worm that creates Tor and Freenet nodes en masse.

Good plan! (0)

Anonymous Coward | more than 3 years ago | (#34382826)

Not so much to defense against the recording industry but there are countries (well 2 in particular) that want to control the internet. Imagine that kill-switch the US wants so badly... Wikileaks would be gone. So I think this is a fairly good plan, albeit with some major technically issues to overcome. The best way for everyone would be a system like tor/.onion. But with much better encryption and blind routing. Having said that, I wouldn't have a clue to implement it. One thing is for certain, there should not be 1 organization or 1 government with absolute powers over the internet. The internet is in essence like the air we breath. A right, not a privilege in this day and age.

Decentralized naming is hard (3, Insightful)

Josh Triplett (874994) | more than 3 years ago | (#34382874)

On the one hand, I absolutely want to see control over domain names taken out of anyone's hands (not just ICANN's).

However, decentralized naming is a *hard* problem. Only one entity can control a given domain name, and something, either human or automated, must decide who gets that domain name. Whether by fiat or general consensus, some process must exist to handle the case where multiple people want the same name. ("First come first served" does not suffice unless you have fees or some other measure to prevent mass registration, and decentralized control makes those measures difficult.)

(Numbers, by comparison, prove quite trivial; just use public keys. But people don't like typing in long numbers, they like typing in *names*.)

Re:Decentralized naming is hard (3, Interesting)

hey! (33014) | more than 3 years ago | (#34383040)

Hard it may be, but it has been solved, and all the necessary protocols and software exist to implement the solution. All you need is an alternative organization and the ability to convince the people you are interested in convincing to use the new servers.

As for the policy challenges you mention, Mr. Sunde doesn't *like* the way ICANN solved those problems. In fact he detests it so much he's willing (or thinks he's willing) to chuck the policy and organization that controls it out the window. Or perhaps he'll figure out a way to use his preferred servers and fall back to ICANN's DNS.

Re:Decentralized naming is hard (1)

jack2000 (1178961) | more than 3 years ago | (#34383144)

For starters mirror the current root dns but refuse to remove any domains if they were tampered with by the RIAA and the like.
Remove all squated/harvested domains. (It's easy detect those), smarter people could think of what's next but this is a pretty good start.

Re:Decentralized naming is hard (0)

Anonymous Coward | more than 3 years ago | (#34383224)

Do you have a suggestion on how to fund it? I don't think the donation model works very often, and a paid model is tough to implement, making sure both paying people get the service, and that unpaid users don't drain the system too much.

Re:Decentralized naming is hard (4, Interesting)

KonoWatakushi (910213) | more than 3 years ago | (#34383290)

Why continue with the concept of name ownership at all? It should be technically impossible to own a name, in the same way that it should be impossible to monopolize ideas.

Let people and entities use whatever name they want; the remaining problem is to verify that you are talking to the right host, but you should need to do that anyway. Invariably, any sort of central authority can and will be subverted. What is necessary is some other means of conveying trust, wether that is a web of trust, or some other out of band option.

This is what I believe we should strive for. The distributed naming system and trust system are orthogonal problems, but need to integrate in a convenient way. So, it is still a hard problem, just not in the same way.

Re:Decentralized naming is hard (2, Interesting)

JesseMcDonald (536341) | more than 3 years ago | (#34383360)

The model underlying Bitcoin [bitcoin.org] may provide a solution. Basically do the same thing, but with domains instead of virtual coins. The peers self-regulate the work required to solve the next block such that a fixed number of blocks (domains) are allocated per unit time; the allocation would be "first come first served", but there would be no possibility of mass registration. Once a name is allocated it can be updated at-will by the one holding its private key, or transferred to another user. Updates and transfers would take the place of Bitcoin's transactions, and be included as part of the next block.

Re:Decentralized naming is hard (1)

rantomaniac (1876228) | more than 3 years ago | (#34383454)

Using public keys as addresses would be pretty sweet, but how do you route traffic through a network with randomly distributed addresses? Ad-hoc routing can work on small scales, but there'd be serious issues making a global network like that.

Re:Decentralized naming is hard (2, Interesting)

burris (122191) | more than 3 years ago | (#34383632)

after Zooko [wikipedia.org] : names can be secure, memorable, or global - pick two. DNS is memorable and global but not secure. Public keys are secure and global but not memorable.

Free market solutions (-1)

Anonymous Coward | more than 3 years ago | (#34382880)

Surely this is a situation where free market fundamentals apply; after all, if people had a choice between multiple competing root servers then by the laws of competition the most reliable trustworthy operator would prevail. The corner we've painted ourselves into with ICANN surely demonstrates that communal solutions make everyone worse off.

I'm sure there will be some who try to argue that we should work within the existing system to try to address abuses but what they fail to understand is that competition creates choices and more choices necessarily means better ones. This is also why worries about net neutrality are misplaced; why pursue legal remedies when market forces will produce optimal solutions every time?

We'll call it UCANNT... (4, Insightful)

moxley (895517) | more than 3 years ago | (#34382922)

We'll call it UCANNT *rimshot*

Universal Co-op for Assigned Names, Numbers and Timeservers

Seriously though, I do think a backup system would be a good idea....It's needed in order to stop the growing attempts (that I think we're going to see a lot more of) to control, censor, filter, and police the internet....Due to the practicalities involved in how the system works, I am not certain how plausible it would be to have two competing systems while everything is working smoothly, and there are other points where the system could be messed with, but having a framework in place might not be a bad idea with the political realities we live in...

Part of me would like to do this. (5, Interesting)

hey! (33014) | more than 3 years ago | (#34382992)

It's the same part of me that, were I holding a cigarette lighter and a stick of dynamite, would be tempted to light the stick and throw it like they do in the movies, just to see what an exploding stick of dynamite really looks like. There's been so much greed and stupidity around the DNS, and it would be so *feasible* for someone to set up an independent alternative, I'd sort of like to see what it would look like when the existing system is blown to kingdom come.

However -- were I ever to be holding an actual stick of dynamite in my hands, the part of me that tends to say things like "this is not the optimum time to make an impulsive decision" would become quite strident. It's not that I would never, under any circumstance light a stick of dynamite and throw it. It's just that it being a really cool idea wouldn't be enough to make me try it until I'd thought through the consequences very, very carefully.

And as it stands, the DNS system does me more good than it has ever harmed me, and likewise for the vast majority of people who use it. It might be that giving *serious consideration* to a competitive system would do a lot of good, but a competition between two systems in which both survived would almost certainly be a bad thing.

Re:Part of me would like to do this. (1)

camperdave (969942) | more than 3 years ago | (#34383692)

There are all sorts of alternative DNS systems: OpenDNS, UnifiedRoot, DNSAdvantage, just to name a few. The kick is getting people to use them.

We have been here before (1, Offtopic)

stox (131684) | more than 3 years ago | (#34382996)

Is Peter the illegitimate son of Karl Denninger? We had the same story 15 years ago.

google root ? Apple root ? MS Root (0)

Anonymous Coward | more than 3 years ago | (#34383026)

Hhhmmm I can see good and bad on this one
I like the idea of making it more difficult to implement censorship but I have a feeling i may end up with and Apple Web and a Google Web and governments will like this in the long term I suspect

Let's fork the Internet (1)

Megahard (1053072) | more than 3 years ago | (#34383030)

People who talk about "the Internets" aren't clueless idiots after all, they're actually ahead of the rest of us.

Re:Let's fork the Internet (0)

Anonymous Coward | more than 3 years ago | (#34383078)

teh intarwebs?

Re:Let's fork the Internet (0)

Anonymous Coward | more than 3 years ago | (#34383272)

Don't worry - Comcast and Apple are already on it.

.

There already is one (5, Interesting)

gman003 (1693318) | more than 3 years ago | (#34383050)

OpenNIC. While it mirrors the ICANN addresses, it also adds several new TLDs (.oss, .geek, .parody, even .gopher) which can be easily used. This is but one of the many alternative DNS roots, but it's the most popular, and it's democratically-run.

Re:There already is one (2, Insightful)

juliandemarchi (1261822) | more than 3 years ago | (#34383768)

I would like to encourage anyone interested in the alt-dns system like Peter, to join OpenNIC (http://www.opennicproject.org). It has great ideals, and is openly and democratically run. Anyone can join this great project and contribute to it. OpenNIC has been around since 2000, and is still going well!

At last. (1)

unity100 (970058) | more than 3 years ago | (#34383064)

someone has hit the headlines with the idea. it was long time coming. tho there are stuff like opennic (actually im using their dns now). these need more traction.

Alternatives to the signed root (2, Interesting)

Anonymous Coward | more than 3 years ago | (#34383140)

Well, most of us with half a brain _already_ don't trust ICANN at all. With the signed root, you really just need to push broken DS records to invalidate entire portions of the DNSSEC namespace. The UCSA (United Corporate States of America) is quite clear that it wants to retain control, AND wants to have a "kill switch".

Well, DNSSEC *IS* by design a kill switch. It has to be, in order to work. So, we have the ccTLD root keys manually locked into our resolvers, not just the signed root. There are ways against a root blackout, if the trust anchors for the ccTLDs are still valid. We assume the gTLDs will be offline anyway, because even good people like the ones behind ISC don't want to be shot in the head for treason.

Adding extra (signed!) namespaces is equally easy, you don't have to override the root. In fact, you do not WANT to override the root, running a root server is not something you can do without lots of preparation, and *real* DoS-shielded setups. A _simple_ root server takes: Two BGP routers (one does the forwarding, the other keeps the BGP prefix up with the next_hop of the forwarding router, to make sure any DoS does not migrate to the next node should this one go down), two hardware linespeed load balancers (gigabit ethernet at least), and four to six root servers. Add two hardware linespeed traffic scrubbers if you cannot just lose that root node to a DDoS.

The root server runs a specific software that only does autoritative DNS/NSEC1 *very fast*, and they don't contain much data, you need TLD node farms for that. Non-joke root servers (serving more than 10GB/s) are considerably larger (the same size as a TLD server farm). And the routing and traffic scrubbing hardware is damn expensive.

So, that's about US$ 100k per small anycast root node, and >US$ 1M for really large ones. And you need around 200 of those around the world if you want to do a proper job, latency to root servers has to be *low*. And a new TLD that is to be used for real would need a lot of the really large nodes.

So, you really want some sort of P2P DNSSEC, to switch from a centralized model to a distributed model. You will NOT be able to wrestle the TLDs from USCA control otherwise.

Good luck, it is a _hard_ problem.

We have no other choice (1)

unity100 (970058) | more than 3 years ago | (#34383160)

a p2p, encrypted, decentralized DNS system. this is what we need.

we also need to migrate all domain ownerships currently existing in icann registry to it though. else, smartasses or squatters will grab people's domains.

God I hate twitter (1)

Gadget_Guy (627405) | more than 3 years ago | (#34383180)

How stupid is it that the summary about the lost domain is double the length of the page that it links to (234 vs 117 characters)? I clicked the link to get more information, not less!

Back on topic, there is a price that you pay for a fairly unregulated domain name market, and that is the occasional stuff up as described here. I have had the opposite problem in the past, attempts to get a domain transfered have been held up despite the owner agreeing to the transfer. Admittedly, losing a name is far worse than the temporary hassles of delays in transferals.

Someone make DNSLeaks.org! (0)

Anonymous Coward | more than 3 years ago | (#34383302)

1 - Save a history of DNS resolutions like Archive.org does for all important websites

2 - Wait for the government to censor

3 - Get loads of visitors to your site to get the last cached IP, while the site owner updates his site to redirect visitors to the new domain name

4 - Profit!

Non Profit (2, Interesting)

retech (1228598) | more than 3 years ago | (#34383358)

So by a non profit organization they actually mean that when their bills are paid their salary just keeps increasing? This is just as much as scam as the single family owned and operated ISBN system. It's a wonder that anyone on this planet trusts a US based business anymore.

sh1t!? (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34383380)

Ago, mAny oF you

ICAAN is mostly lawyers (1)

snsh (968808) | more than 3 years ago | (#34383500)

ICAAN started out as real geeks, then became a bunch of fake geeks, now is a bunch of lawyers, and is destined to become a bunch of business exectives until it finally becomes a bunch of ex-elected officials. That's how these organizations evolve once they become responsible for handling real power.

The internet belongs to the world... (1, Interesting)

Camael (1048726) | more than 3 years ago | (#34383734)

...and it's running should not be subject to the whims of any organisation like IFPI or RIAA, nor the arbitrary laws of any country, even the US of A.

Do it, now.

OpenNIC (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34383856)

Instead of starting another alt-root DNS system, would it not be better to work cooperatively with an already heavily establish alt-root system, such as OpenNIC (http://opennicproject.org), they've proven previously that, unlike ICANN, they have a working democratic system to their DNS management!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...