An alternative DNS: Cool and sexy or wild and scary?
By Monika Ermert, eLance Journalist - There have been calls for another DNS root or a DNS 2.0 in the past. During the SecDispatch WG meeting at IETF108 Martin Schanzenbach, speaking for a group of GNU developers, presented what they call a privacy enhancing and “fully decentralized and censorship-resistant name system”.
Their proposal does not require the Internet Corporation for Assigned Names and Numbers (ICANN) to coordinate policies and delegations. The need for such coordination has been the main controversy of DNS governance since the 1990s – so the new proposal might be attractive to some.
The GNS, the GNU name system proposes to use public private key pairs to define zones and a distributed hash table (DHT) to store keys and allow for recursive resolution. The authors point to earlier technical work, namely the Simple Distributed Security Infrastructure (SDSI), authored by Ron Rivest and others.
The end game is to get globally mapped names without a trusted central authority, a hyper-hyper local sort of name delegation. The petnames chosen by users together with the Public Keys will allow people to search for records in the delegated zones. And users could even be administering their own zones if they want.
No unique names
The technology presented includes a set of cryptographic mechanisms intended to make delegation and queries a much more private affair than is currently the case. With no domains revealed, it was “cool and sexy”, as attested by Google’s DNS expert Warren Kumari. But he and others also worry that allowing non-unique ‘pet names’ will confuse users accustomed to DNS. “I would need my version of www.facebook.com to still be the same as Bob’s facebook.com”, Kumari argued.
The GNS developers foresee a bridge to the DNS for their new system. The GNS2DNS record will contain a DNS name for the resolver to make the jump. GNS will live side by side with the DNS, Schanzenbach argued. One project with intentions to use GNS already is Secushare, an alternative social media platform.
Alternative naming systems still ‘researchy’
Advantages for privacy and resistence against amplification attacks or zone walking are potentially outweighed by risks of phishing and loss of zone keys and the respective zone, some experts warn..
Ben Schwartz from Google also brought up other candidates for alternative naming systems out there, like a concept from Ethereum Name services. He felt the IETF might find it difficult to accept one new DNS alternative and reject others following suit. Instead the GNS authors could, he said, consider applying for a DNS zone with ICANN during the next round of new gTLD applications. While the application did not come for free, certainly driving the GNS toward standardisation through the IETF process would also cost time and money.
Schanzenbach reminded the group that the GNS had tried the special TLD avenue with the IETF before. Other than .onion, the .gns – and a bunch of other zones –were then rejected by the IETF. He also pointed to the intrinsic difficulties of anchoring a decentralised naming system under a central root.
So far, the GNS has been developed by acadamic researchers. “We want to graduate from that”, Schanzenbach said. The group received funding to bake their tech into an IETF document by NLnet Labs, and were not deterred by the objections or a warning from former IAB Chair Ted Hardie, that making the draft proposal a WG item would hand over control over changes to WG participants.
Still, for the time being an alternative naming system is meeting with considerable opposition. It may even struggle to survive a BoF. An alternative path is for the GNS to land in the Internet Research Task Force, where a Decentralized Internet Infrastructure Research Group has been set up specifically to investigate internet technologies with the kind of features proposed by the GNS. “If you call for standardisation, we won‘t do it here”, Eric Rescorla, CTO of Mozilla said during the session.