On Sat, Dec 25, 2021 at 11:57 PM John C Klensin <john-ietf@xxxxxxx> wrote:
... But, again, there is no inherent problem with the
DNS that justifies what you are suggesting even though there may
be multiple practical problems in the current DNS operational
and management environment.
My design method has three steps.
1) Identify the problem to be addressed
2) Address that problem ignoring all legacy infrastructure
3) Decide if deployment is best served by adapting existing infrastructure or building new
Code re-use is massively overrated. If there is a chance to erase 40 year old mistakes with new infrastructure I will always take it. Absolutely the only reason to build on antiques is that they make deployment easier because they are already deployed.
The telephone infrastructure is dying. Junk calls that wake people up in the night are much more serious than email spam. Email is dying. And right now, the only alternatives on the table are proprietary schemes created by over-promoted middle managers who imagine the powers that run this world are going to allow a proprietary private interest to establish a monopoly on communications.
DNS is not a viable discovery service to replace telephone numbers. So someone must build something that is. Only an open service can be viable in the long run.
DNS wouldn't have survived this long if the flaws had been easy to spot. The ones I see are
1) Faux hierarchy
2) Registries provide the query service
3) Security is an afterthought
Faux hierarchy
As far as the hierarchy thing goes, I see only negative value in the partition of the root. com/net/org was a mistake CC domains a blunder and new TLDs a rent seeking racket.
The only purpose of the new TLDs is to extract rents from owners of major brands. From a technical point of view, the DNS would work just fine if every TLD apart from .com was dropped out of the root. VRSN has more than enough capacity. (And no, I do not hold any VRSN stock, I liquidated all my holdings last year(
There are only O(10^10) people in the world. The Latin alphabet has 26 characters (and there are roughly a dozen widely used alphabets). There is really no need for registered names to be more than a dozen letters long to be unique even with O(10^12) names.
All hierarchy does is introduce gatekeepers and require people to register in each branch of the tree.
Registries provide the query service
DNS registries are not public so the only party that is able to offer query service is the registry itself. This makes the registry a big fat target for anyone wanting to 'bring down the net'. And the vast majority of the cost of running a DNS registry comes from dealing with DDoS.
The registry cannot restrict the community it serves to mitigate DDoS attack. Moving query service to the Mesh Service providers offloads all the maintenance costs off the registry making nakes-for-life possible. It also allows the service provider to deal with abusive customers by ignoring/rate-limiting their queries.
The key to stopping Internet crime is to increase the cost to the attacker and/or reduce the payoff. Moving the registry service does both.
Security is an afterthought
The primary function of the callsign service is that it is a PKI. The fact that every name is bound to the controlling root of trust by definition is what allows it to operate without trusted third parties.
I spent 25 years trying to make the CA based model work for people. It doesn't work for a very simple reason: Corporations exist by government fiat, humans are not. There might be a way to make the CA model work but I am not the only person tried and nobody else made it work either. I am not aware of anyone else even trying.
Binding names a-priori just works. But only if you begin allocating names a-priori from the very start. It is not possible to retrofit this approach to either telephone numbers or DNS.
The Mesh code is now running outside the development environment and the documentation is nearly ready. The only things missing at this point for the phase 0 release is to make the demonstration reel. This only uses DNS discovery, the callsign system won't be deployed for a while yet.
I do have running code to secure data at rest. I am not aware of anyone else even attempting to address that problem.
