Nothing But Net
Mark McFadden on DNS at Risk
- By Scott Bekker
That old workhorse, the Domain Name System (DNS), has been
much in the news lately. You’ve no doubt heard that new, generic top-level domain
names have been approved. Now, the tried-and-true top level domains, ".com," ".net" and
".org," are joined by five specialty domains, ".aero,"
".coop," ".museum," ".name," and
".pro," as well as two general suffixes, ".biz" and ".info,"
that will be available to anyone.
There’s plenty of
controversy over the addition of new top-level domains, but I’ll let you in on
a little secret: the DNS is in real danger of being a victim of its own success.
And it has nothing to do with those new top-level domains.
The domain name
system is simply a distributed database that responds to requests to look up IP
addresses. At least that’s what it was in the beginning. In the last three
years the DNS has been incrementally altered with new and often useful
features. As time goes on, the complexity and overhead of the DNS grows as each
new feature is added on the top of an already complex system.
One example is
Dynamic DNS. The Domain Name System was originally designed to support
queries against a statically configured database. While the data was expected
to change, the frequency of those changes was expected to be fairly low, and
all updates were applied against an external Master File. The addition of
Dynamic DNS makes it possible to add or delete DNS resource records from the
database on the fly.
Obviously, there needs to be security for those dynamic
updates -- otherwise, anyone could add, delete or hijack DNS names from the DNS
database. Dynamic DNS solves this problem by storing digital signatures in the
DNS as a special resource record. DNS security also permits the storage of
public keys in the DNS.
That’s great -- Dynamic DNS and DNS security are good things
-- but notice how things other than names and IP addresses are starting to
populate the DNS. Today the DNS is home to geographic locators, digital
certificates, IP version 6 addresses, and even access control lists.
My favorite example of overloading the DNS is the new push
for internationalization. Several organizations are working on schemes to allow
the DNS to support international character sets. Last month Verisign announced
it would begin accepting Web addresses written in Chinese, as well as Japanese
and Korean. Almost immediately China's Network Information Center, the
government agency that oversees the national registry in China, responded by
unveiling a competing system.
Officials quoted in China's state-run media called the
system China’s sole legal cyber-registry. The Chinese government’s system
threatens to use the same domain names as one of Verisign’s partners, a
Singapore-based start-up called idns.Net. That means users in different
geographical locations may have Chinese DNS names resolved to different IP
Amazing! Will this be the year that the DNS breaks? I don’t
think the sky is falling . . . yet. Still, there’s one thing I’m sure of: the
DNS will get plenty of public scrutiny in the next year -- and not just because
of new domain names. --Mark McFadden is a
consultant and is communications director for the Commercial Internet eXchange
(Washington). Contact him at email@example.com.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.