"Plz stop saying I'm the guy behind the new DNS-system. I'm just one of lots of people with interest in it. Everyone does their part!" - [TPB co-founder]
I really hope all of this dns dustup is really about showing ICANN and the powers that be that they shouldn't risk fracturing the Internet by hijacking domains the way they did.
The alternative - actually wanting to split a bunch of users onto a new set of root servers and inventing a brand new method of peer to peer zone transfers seems overly complex and filled with potential pitfalls.
While this may be a bit overstated, when arguing against COICA the IEEE had this to say about fragmentation:
These problems will be enough to ensure that alternative name-lookup infrastructures will come into widespread use, outside the control of US service providers but easily used by American citizens. Errors and divergences will appear between these new services and the current global DNS, and contradictory addresses will confuse browsers and frustrate the people using them. These problems will be widespread and will affect sites other than those blacklisted by the American government.
Is there a need for all new roots? One option might be just to have various recursive resolvers available for people to switch to aka opendns or google, but these could be delegated as secondaries by worried domain holders and thus return authoritative without consulting root servers. Signed zones could prevent tampering. If they really want to run software on the client it could be stuff that's already built - a small validating resolver that could send most lookups to the user's isp but query the alternate provider for a specific tld or when validation using DLV fails.
The spit-balling about the design of this thing has given me flashbacks to 25 years ago when manually replicated host files ruled the day (and it sucked). I totally agree that not being able to trust the roots is a big problem, but there must be a better way to go about this than having me run some custom software on every one of my clients (and hope it's not a new attack vector) just in case a site that I use might get hijacked by the feds in the future.
Instead of snapshots of how a domain's webpage looked throughout time, you have snapshots of what ip address a domain mapped to, throughout time.
Make it opt-in. Hell, maybe even charge for it.
Make a REST interface that can be queried by browser plugins, other websites, etc., that allows people to obtain the old IP address if it suddenly changes.
Now you haven't broken anything and have provided those who need it with a way to find you, even after a government interference.
You could even make it retroactive. If somebody takes control of your domain, and you didn't opt in to the service before hand, you then submit your actual IP address to the service. The service only accepts requests for IP changes that originate from that actual IP address to prevent unauthorized changes.
It seems like this could be a good opportunity for us to make good use of newly available technologies. Not exactly sure how it would work yet but a Distributed DNS system could be implemented using CouchDB.
Specifically, CouchDB's ability to distribute databases to clients seems like the ideal feature for this technology.
"CouchDB is a peer based distributed database system. Any number of CouchDB hosts (servers and offline-clients) can have independent “replica copies” of the same database, where applications have full database interactivity (query, add, edit, delete). When back online or on a schedule, database changes are replicated bi-directionally."
This whole story of COICA, domain seizures, and ad-hoc alternatives springing up sounds like the beginning of a cyberpunk novel. Is the US government actually bringing about the dystopian technological future envisioned in so many short stories?
http://twitter.com/brokep/status/9684729515220992