A Future for the DNS

CENTR Feb 22, 2005

Paul Mockapetris, Chief Scientist & Chairman, Nominum
pvm@nominum.com

A Simple Method

WHO?
WHAT?
WHEN?
WHERE?
WHY?

Why do we care about DNS?

Why are Digital Identifiers Important?

Conventions associating one piece of data to another

>
>
>
>
>
>
>

www.nominum.com to see web page

Anna Kournikova into Google window
Shell.nominum.com for SSH
160.192.177.128.in-addr.arpa for email verification
pvm@Nominum.com for email
pvm@a21.com to log on to Amazon
Dial +1-650-381-6100 on a phone

Anything we type or click on to identify what we want.

The first step in any communication.

DNS is at the base of all of them.

4

One Way to Evaluate Their Significance

.COM
Verisign has $6.9 billion market capitalization
> Registrar gets $2+ per name at retail
> Registry (central database) gets $6 per name
> Over 30,000,000 names in .com
>

Google
>

$47 billion market cap

Phone numbers
>

In 2002, US phone companies, desperate for cash,

raised over $10 billion by selling phone directory
operations
5

Where does DNS fit in the

greater scheme of things?

Where Does DNS Belong?

Myths
>

The DNS system definition is 21 years old

>

DNS only maps names to IP addresses

>

Its replaced by LDAP, Active Directory

Realities
>

The foundation of DNS is 21 years old, most of it is

newer

10 data types in 1983, over 60 data types today

New functions added as well (e.g. DHCP & dynamic update)

>

DNS is the Database of the Internet

>

LDAP and Active Directory depend on DNS services

7

The technology landscape

Early 1980s
Theory:

Todays
Reality:

Google,
UDDI, etc.

Searches
> Lookups
> Schema
> Access Control
>

AD,
LDAP,
etc.
X.500

In the beginning, theory

said there would be one
monolithic service X.500

In practice, there are many

services & applications,
with different properties, at
3 levels:
Web
> Directory
> DNS
>

DNS

Architectures that Create Digital Identifiers

DNS

AD,
LDAP,
etc.

Google,
UDDI, etc.

When should we use DNS?

When is DNS ready?

In 2004:

Public

Private

2 million DNS servers on Internet

X $500 per server for hardware (at least)
= $ 1 billion in hardware
How many DNS servers on intranets?
HowGuesstimate:
many DNS servers
10 million
on intranets?
Guesstimate: 10 million

11

When is DNS the right platform?

Openness

Speed

Reach

Data
Format

Functions

Web
Based

Usually
proprietary

Seconds

Internet
subset

Varies

Any

Directory

Mostly
open

10+
millisecond

Single
organization

Heavily
structured

Open &
interoperable

Sub
millisecond

Internet &
intranet
Universal

Slightly
structured

DNS

Search
Lookup
Update
Lookup
Update

12

When DNS fits use it

The only successful globally-distributed database
Strengths

Limitations

Scalable to Internet size

Doesnt do searches

Scalable in distribution of
authority

Simple data model

Runs on every Internet

platform

Software updates
must reach clients

Easy to add new functions

(if they fit DNS model)

Digital signatures
still coming
13

DNS use is growing exponentially

RFID
tags
IETF
Anti-SPAM
SPAM,
viruses
Windows 2000
services
Intranet names
Mail (MX) names
Internet names
1983

1988

1993

1998

2003

2008

14

How large will the DNS platform become?

Service-Oriented Architecture
IP Telephony

RFID Tags

Public DNS
Private DNS

IDNS .com

15

What needs to be done?

General Answers:
Make todays implementations live up to the theory
Let people try new ideas

A historical parallel
Semiconductors

DNS

1947 Transistor

1983 Domain Names, RRs

1958 Integrated Circuit 1993 Dynamic update,

DHCP integration
1965 Moores Law

2005 Security,
Performance,
Management
17

2005 Wish List for Enterprises

Managing Admins

Integration

Each admin can do

Active Directory

Enough
> But not too much

Router & other configs

>

Approval phase

Automatic Fragmentation
Controls

Work with multiple DNS &

DHCP server types

Log & audit

Divide responsibility by
function, not zone

18

2005 Wish List for Service Providers

Guaranteed Service Model

Moves, adds, changes on the fly
> Update propagation that scales
>

Multimaster
Database integration

Database performance for ANY legal use

> Better defense tools
>

>

Against both perfect and inperfect attacks

Automatic interactions with RIPE/ARIN/APNIC & DNS registries

New Security paradigm

More than DNSSEC
> Multilingual support for those that want it
> Virtual enterprise outsourcing
>

19

Who will do it?

Who Will Define the Future?

The best way to predict the future is to invent it

-Alan Kay

Who is inventing the future of Directories?

>

Policy

>

ICANN / UN / ITU / Verisign ?

Technology

IETF / ISC / Microsoft / DNS-MODA ?

EPCGlobal?

Architects of legacy communities

> Architects of new communities
>

21

My Advice

The regulators need to learn how to play

together more nicely, since there will be more
additions like E.164.

Be extremely skeptical of anyone who says But

that would overload the DNS.

The best way to get new functions is to try new

ideas and see if they work, rather than waiting for
perfect designs.

22

A last principle

Good designs come as a menu of independent

(technically orthogonal) features, which can be
used or ignored independently.

For example, we would be better off if we could

separate DNSSecs
Signature model
> Chain of trust model
> Nonexistence behaviour
>

23

The End