It’s time to end the DNS scam

That’s right DNS is a scam.

When you register a domain, they’re selling you air.

This new DNS “shakeup” is even worse.

To understand this we have to jump into the way back machine and take a jaunt to the early days of the Internet.

Every computer on the Internet has an IP address. Back in the 70s when there were only three computers on the Internet it was easy to remember their numbers. Unfortunately most humans suck at remembering long strings of arbitrary numbers. It’s a lot easier to remember snarkybytes.com than 174.122.2.87 so the geniuses at ARPANET invented the hosts file. The hosts file matched a name to an IP address. That worked great until the early 80s when the Internet had grown to the point that the hosts file was getting hard to manage. Along came DNS, a nifty new hierarchical, distributed, hosts file replacement. DNS matches a name to an IP address just like the hosts file but each domain (for instance snarkybytes.com) maintains it’s own name to IP address records. A central authority, ICANN, decides what top level domains will be allowed on the Internet and sells name registration franchises.

The bottom line: All DNS does is match a name to an IP address. It’s the IP address that actually gets you somewhere on the Internet. Unlike the IPv4 address limit of around 4 billion addresses, there is no actual limit on DNS names. There’s no limit on Top Level Domains. Other than politics and the desire to create artificial scarcity (money) there’s no reason at all to limit the number of TLDs. So when you see ICANN announce new top level domains for ONLY $185,000 you know it’s all about the money. I’m not normally one to begrudge anyone a profit but in this case I’m gonna begrudge. One, ICANN is a non-profit organization. Two, these TLDs don’t cost anything*. ICANN is creating something out of thin air and charging a ridiculous amount of money for it. The other side of the ICANN coin is politics. Because it’s under central control, DNS is susceptible to interference from governments. Unlike the Internet itself, which is decentralized and redundant, DNS is controlled by ICANN. It’s too easy, as we’ve seen lately, for governments to use this central control to interfere with Internet access.

Like the hosts file before it, the Internet is outgrowing the DNS system. It’s cumbersome and too susceptible to politics and power games. I’d like to see a more decentralized system replace DNS. It makes no sense that the Internet, the ultimate in decentralization is hobbled by a centralized DNS.

*Yes, there are minor costs associated with maintaining root name servers but there are only 13 of them and ICANN only runs one. The rest are maintained by various private and government organizations. The cost of running those servers is trivial.

This entry was posted in Teh Interwebz. Bookmark the permalink.

14 Responses to It’s time to end the DNS scam

  1. Ian Argent says:

    How “baked in” to IPv6 is the current DNS scheme? Will he, nil he, we’re going to IPv6

  2. Pingback: It's time to end the DNS scam | SnarkyBytes | DNS Internet

  3. Jason says:

    I’m sorry, this made me laugh.

    Claiming there’s only 13 root nameservers so the cost to run them must be trivial is a bit like claiming that facebook is only one website, so the cost to run it must be trivial. Each one of those 13 is actually a serious cluster of machines. They have a lot of data to manage, must serve it reliably and almost instantaneously, and most of them are under constant attack.

    At some point you need a root authority. Otherwise, anyone can claim to be ‘coke.com’. No matter what technical solutions you come up with, that arbitration will be inherently political, and politics costs money. The human coordination between organizations, and the dispute resolution mechanisms are not insignificant. Think of that $185,000 as a legal retainer, or a performance bond, and all of a sudden, it’s not so large.

    You could probably come up with other ways to do this, but I’m not convinced it would be any cheaper in the long run. Previous attempts at alternate roots have been utter failures. ICANN isn’t perfect, but it mostly works. Since this is an inherently political issue, any revolution will naturally attract some power-hungry and unsavory characters. It would be very easy to end up with something even worse.

  4. alan says:

    I’m more worried about political control than I am about expense. And the $185K can’t be thought of as a legal retainer bond because ICANN doesn’t indemnify anyone. ICANN stays completely out of any trademark or copyright conflicts.

  5. Jake says:

    The cost to run the root servers may not be “trivial,” but (in the US) ICANN charges a fee of $0.18 a year for every .com name. There are currently over 95 million .com domains registered. That works out to over $17 million a year just from .com names. Add in whatever they charge for .net, .org, .info, .biz, etc., and that has to be more than enough to run those 13 servers and the dispute resolution mechanisms you’re talking about.

    The $185,000 fee is ridiculous. Yes, they’ll probably have to expand the infrastructure a bit, but it would only be expansion, not creation – the infrastructure already exists. Considering what they’re offering, that would very quickly pay for itself with a much more modest fee. There are only two reasons for a non-profit in ICANN’s position to charge such a ridiculous fee: either a) they want to limit the applicants to large corporations for some reason, or b) something shady and unethical.

  6. Jake says:

    Just to drive home how ridiculous the $185,000 figure is, it would take less than 100 applications for them to bring in the same amount they make annually from .com registrations and renewals.

  7. alan says:

    And ICANN still only runs one of the root servers. The other 12 are VeriSign (two of them), USC-ISI, Cogent, University of Maryland, NASA, Internet Systems Consortium, Defense Information Systems Agency, U.S. Army Research Lab, Autonomica, RIPE NCC, WIDE Project.

  8. Jason says:

    I’m not saying it is literally a performance bond, or a legal retainer, but it is a political organization, and politics does cost. The people involved generally get paid lawyer-style rates. If you think $185,000 is expensive, have you priced what it costs to hire a good network engineer, including taxes and benefits?

    And yes, they are expanding an existing system. An existing system that was designed for a few dozen TLDs. While the marginal cost of adding one more TLD may be minor, at a certain point you hit scalability issues. We are now talking about hundreds, potentially thousands of TLDs. That’s going to require some pretty hefty back end system and business process redesigns and expansions. Take even simple stuff, like selecting your TLD on a web interface. A drop-down containing all of them used to work. That won’t work with thousands.

    Yes, the $185,000 fee is designed to limit it to large corporations. And that’s a good thing. Just imagine if it was $18.50. You’d have millions of TLDs. Just like domains. At that point, the very concept of a hierarchal domain name system breaks down, because everybody wants to have their own TLD. And suddenly, everybody can afford one. All the load goes to the root, you no longer have a distributed system.

    Frankly, I think custom TLDs are just a bad idea in general, and if they’re going to offer them at all, it should cost millions, just to limit (and pay for) the scalability issues. DNS was not designed with this in mind, and there’s no reason besides vanity and marketing to offer it. But if we are going to do it, ICANN should charge all the market will bear, and then some. This is too important to cheap out on. There’s only one chance to do this, and it’s better to collect too much money than not enough. The continued existence of the internet does not depend on you getting a vanity TLD. It does depend on DNS staying up.

  9. Jason says:

    Oh, and while ICANN does not currently get into disputes, that’s largely because they don’t sell custom TLDs. As soon as they do, they’re going to have to decide who gets ‘.coke’. And some Russian mobster is probably going to try to register ‘.chase’ and ‘.wellsfargo’. All of a sudden they have this whole can of worms opened that wasn’t open before, and will need a whole new level of customer service and legal infrastructure to deal with it. $185,000 really isn’t enough.

    While you can say “This just proves we need to get rid of them”, any replacement form of internet governance is going to have to deal with the exact same issues, and it’s not going to be any cheaper or easier for them. That’s not even considering the cost of the transition.

  10. Eseell says:

    Ian, IPv6 and DNS are completely separate in that IPv6 does not require DNS in order to operate to any greater degree than any other network protocol. IPv6 depends on DNS because some people find the addresses harder to remember, but there’s nothing in the protocol itself that prevents users from depending on some other similar name resolution system that accomplishes the same ends. Good luck getting the Internet to move to another system in under a decade, though.

    Jason, I think the cost of running a root server is trivial if you are already a multi-homed organization. If you want to just up and run a root server for the sake of running one, yes the costs would be at least tens of thousands of dollars per month, but the orgs that run root servers have to pay those costs whether they run a server or not. The server by itself costs almost nothing and DNS bandwidth consumption is negligible, even for large deployments. It’s the reliable connectivity that costs.

  11. Jason says:

    Eseell, a real DNS cluster isn’t “the server”. It’s multiple racks or more of redundant servers, load balancers, firewalls, monitors, and routers. All of which must be powered and air conditioned. And all of which has a MTBF and must be monitored 24/7, serviced and replaced on a regular basis. Bandwidth is only one of many costs involved, and that’s not insignificant in the kind of volumes root servers see. A fraction of the whole internet’s queries is a metric fuckton of traffic. And that’s just the legitimate stuff. Never mind the attacks. Which you also have to be able to handle.

    And that’s just the DNS itself. The public facing side. There’s a lot more going on behind the scenes. Stuff your computer and browser know nothing about, and aren’t part of the published specs because it happens between registrar and ICANN and the roots. There’s security to think about. There are legal arrangements.

    And all of this runs on pure liquid $.

  12. Eseell says:

    Jason, I’ve seen some of the DNS root servers in person. They are a lot less complex than you think.

  13. SEAN HERT says:

    What’s really interesting to me is, since they are a non-profit, their 990 (tax return) is public record- and available. Makes for interesting reading- $53 MILLION in net assets for FYE 2009.

  14. Ian Argent says:

    Well, as an at least semi-independent organization, that means they can afford a lot of lawyer if it becomes necessary. Or, for that matter, if it becomes necessary to substitute $ for t in an equation.

Comments are closed.