More fuel for the decentralisation fire with Gmail’s downtime today (Google’s apology). Again, as much as these events people to reconsider keeping all their data marooned on Google’s tiny island in the wider Net, it’s not as if anyone has a more reliable service in place — yet.
It also made me realise that think of another reason why you might want a centralised (or radically decentralised) service that didn’t run on your edge of the Network. Central services are terrible for privacy, but can be better in some contexts for anonymity. Creating a throwaway mail account on a central service (or better still, getting somebody else to), and then using Tor or another anonymising service to access it would provide more temporary anonymity than receiving mail on your own machine (or serving web pages from it). There can also be a big different from serving and hosting data in an authoritarian regime than holding your information remotely in another, more privacy-friendly or remote, jurisdiction. There’s a good reason why a lot of activists use webmail (and why so many were outraged when Yahoo’s webmail service handed over Shi Tao‘s details to the Chinese government).
Tor actually does offer an anonymised service feature, letting you run services from a mystery Tor node, and point to it using a fake domain like http://duskgytldkxiuqc6.onion/. If you were using Tor right now, that would lead you a webpage, served over Tor from an anonymous endpoint. So you can run anonymous services, in theory from the edge. Of course, not everyone is using Tor, so that’s hardly universal provision.
This brings me to another issue that I talked about on Sunday: mapping other non-DNS protocols into the current DNS system. I believe I’ve mentioned before John Gilmore’s semi-serious suggestion a few years back that we grandfather in the current DNS by saying that all current domains are actually in a new, even more top level domain, .icann. — so this would be www.oblomovka.com.icann., allowing us to experiment with new alternatives to DNS, like dannyobrienshomeserver.p2p., or somesuch, in the rest of the namespace.
Other name systems frequently do something like this already: there’s Tor’s .onion fake domain, and Microsoft’s P2P DNS alternative, which resolves to whateveryourhomemachineiscalled.pnrp.net. What neither of those do, however, is have a gateway mapping for legacy DNS users — a DNS server that would respond to standard DNS queries for those addresses, use the P2P protocol to find the IP, then return it to anyone querying using the existing DNS system. That might be a more backward-friendly system than John’s idea.
In Microsoft’s case, that would be pretty easy, even though apparently they don’t do it right now. Resolving .onion in normal DNSspace wouldn’t be possible currently, although I suppose could hack something up (maybe over IPv6, like PNRP) if you were willing to carry all the traffic (and had asked ICANN nicely for the .onion TLD).
I’m not the first person to think that this might be something that would make an interesting Firefox plugin in the meantime.
August 12th, 2008 at 6:08 am
Much as I hate the flattening of the DNS namespace, I don’t think pushing everything down one level is really going to work. You might as well propose switching everything to X.208 OIDs.
What might be useful is if IANA registered a TLD (I’d pitch .taz) which had the property that all sub-domains are intended to be globally available but that delegation authority is not derived from the DNS resolution chain. At that point it should be slightly easier to hook in special rules into parts of your DNS resolution chain without querying pure DNS servers. (Similar, in theory to how BIND ships with self-delegation for various special-use in-addr.arpa domains.)
August 12th, 2008 at 9:09 am
Yes, I agree that’s a more straightforward approach.
August 13th, 2008 at 10:35 am
Lee: it would not be possible to make subdomains of your special TLD “globally available” without using the existing DNS resolution chain. Without a delegation from the root zone or from the .taz zone, each resolver would need special configuration to know where to go to resolve a given subdomain. That contradicts the idea that the domain would be “globally available” – what you’re effectively doing is creating a walled garden that only those people who have configured their systems can access. In that case, why do you need a TLD? Just create your own clone of the old new.net system.
August 13th, 2008 at 4:10 pm
By globally available, I mean theoretically globally unique and theoretically addressable, as apposed to use of, say, .local in bonjour/zeroconf configurations, or some internal use of RFC2606 reserved TLDs. And yes, it is a walled garden available to those using alternate resolver mechanisms. That’s the idea here.
The motivation for blessing a TLD like this would be to prevent autonomous namespaces from clashing with the DNS namespace; to prevent requests for multiple TLDs from hitting the DNS root servers; to provide a simple configuration point for redirecting alternate resolution without requiring servers get reconfigured every time a new TLD comes along; to provide a single point where software can chose to reject autonomous names.
The idea is that you would have resolvers that act as gateway systems to a non-DNS namespace and as such each resolver is authoritative (to DNS-land) for every result.
This can happen at a app plugin-level (a la new.net), at a system resolver library level, or at an external resolver level. Or external resolvers can chose to delegate the TLD to a service that will provide the gateway resolving.
(Does the existence of a .onion pseudo-TLD right now mean that .onion is unable to be registered as a proper DNS TLD? No, but engineers do usually make an effort to avoid actions with known problems if possible.)
August 13th, 2008 at 5:07 pm
A good reason for not putting autonomous addresses in the DNS proper, is that the server operators immediately become available for the legal DoS technique seen used against the registrar (as opposed to the registrant) of wikileaks.org in February.
It’s no longer the case for the domain I’m thinking of, but there was an .org.uk domain that (for a while) had its registrar Tag set to null by Nominet. The website was served from the US and the DNS was served from the US. A particular UK litigant suggested legal approaches to the (UK based) Tag holder in complaint to the contents of the website – this despite the fact that the only technical control they had was to re-delegate the authoritative nameservers for the domain.
Just imagine being held responsible for the content available via TOR, or Freenet, etc.
October 14th, 2008 at 2:06 am
I work with NetAlter which is developing such a system. It is called NetAlter Service Browser. We have also applied for a patent on our technology.