Nothing But Net

Mark McFadden on DNS at Risk

That old workhorse, the Domain Name System (DNS), has been much in the news lately. You’ve no doubt heard that new, generic top-level domain names have been approved. Now, the tried-and-true top level domains, ".com," ".net" and ".org," are joined by five specialty domains, ".aero," ".coop," ".museum," ".name," and ".pro," as well as two general suffixes, ".biz" and ".info," that will be available to anyone.

There’s plenty of controversy over the addition of new top-level domains, but I’ll let you in on a little secret: the DNS is in real danger of being a victim of its own success. And it has nothing to do with those new top-level domains.

The domain name system is simply a distributed database that responds to requests to look up IP addresses. At least that’s what it was in the beginning. In the last three years the DNS has been incrementally altered with new and often useful features. As time goes on, the complexity and overhead of the DNS grows as each new feature is added on the top of an already complex system.

One example is Dynamic DNS. The Domain Name System was originally designed to support queries against a statically configured database. While the data was expected to change, the frequency of those changes was expected to be fairly low, and all updates were applied against an external Master File. The addition of Dynamic DNS makes it possible to add or delete DNS resource records from the database on the fly.

Obviously, there needs to be security for those dynamic updates -- otherwise, anyone could add, delete or hijack DNS names from the DNS database. Dynamic DNS solves this problem by storing digital signatures in the DNS as a special resource record. DNS security also permits the storage of public keys in the DNS.

That’s great -- Dynamic DNS and DNS security are good things -- but notice how things other than names and IP addresses are starting to populate the DNS. Today the DNS is home to geographic locators, digital certificates, IP version 6 addresses, and even access control lists.

My favorite example of overloading the DNS is the new push for internationalization. Several organizations are working on schemes to allow the DNS to support international character sets. Last month Verisign announced it would begin accepting Web addresses written in Chinese, as well as Japanese and Korean. Almost immediately China's Network Information Center, the government agency that oversees the national registry in China, responded by unveiling a competing system.

Officials quoted in China's state-run media called the system China’s sole legal cyber-registry. The Chinese government’s system threatens to use the same domain names as one of Verisign’s partners, a Singapore-based start-up called idns.Net. That means users in different geographical locations may have Chinese DNS names resolved to different IP addresses.

Amazing! Will this be the year that the DNS breaks? I don’t think the sky is falling . . . yet. Still, there’s one thing I’m sure of: the DNS will get plenty of public scrutiny in the next year -- and not just because of new domain names. --Mark McFadden is a consultant and is communications director for the Commercial Internet eXchange (Washington). Contact him at [email protected].

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


comments powered by Disqus

Subscribe on YouTube