Tuesday, June 22, 2010

A call to open source developers: Let's eliminate ICANN.

In the field of Internet development - ICANN and Network Solutions/Verisign are eyesores. There is a very unhealthy relationship between the two organizations and ICANN holds a monopoly on the Internet as a whole by holding the domain name infrastructure hostage.

On July 1, 2010, a price hike for .COM and .NET domain names will take place (VeriSign is the sole registrar for those TLDs). That means it will cost more to purchase and maintain those type of domain names.

The core problem is the Domain Name System (DNS) as a whole. It was designed in the dark ages of the Internet by a bunch of nerds to map a name to an IP address. It was wholly owned by InterNIC, now known as ICANN through various transactions - or at least that is the best I can explain it in a single sentence. The original Internet (ARPANET) was designed to supposedly be robust in the event of nuclear war and people like it for its supposed anonymity. Basically, the Internet was a United States Department of Defense project and it was robust enough at one time. Now the Internet is mostly commercialized and that means consolidation and therefore no longer capable of withstanding nuclear attack - or so I read somewhere. I digress. However, the United States, in essence, still owns the entire Internet because ICANN has an unhealthy relationship with the Internet as a whole - it is a U.S. "non-profit" organization that works in tandem with the U.S. Department of Commerce, which, in turn, reports directly to the President of the United States.

In other news, if current legislation passes, it will become possible for the President to virtually turn off the Internet for entire countries because everyone relies on DNS to map domain names to IP addresses. If the legislation passes, the President could turn off an entire country if there are enough "loopholes": Tell ICANN to delete/suspend root server DNS entries of every business and government website in the target country. ICANN could potentially have no recourse and therefore it would be "goodbye [country name goes here], nice knowing you". Not that it would ever happen. If it did happen, there would be a massive backlash, someone would deface the whitehouse.gov website, and a lot of backpedaling would take place.

Anyway...back to the actual topic.

In essence, purchasing a domain name is simply renting a sequence of human-readable letters, numbers, hyphens, and '.'s. You can never truly "own" the domain. But, more importantly, DNS is a creaky mess and rather poorly designed. Very few people truly understand how DNS operates, myself included, but this much I do know: There should not be one single organization dictating who owns what domain. But it really is much simpler than that: There should not even be a domain name system at all.

The purpose of DNS was to apply hierarchical, human-readable labels to an IP address. While it worked fairly well for a while, it has become a disaster. There are a whole slew of "record types" (A, CNAME, MX, SPF, DomainKeys, etc.) that are more confusing than useful. And .com, .net, .org, .co.uk, .xyz, .yourmom, www., etc. are increasingly meaningless and confuse most users. And, with ICANN's mandated DNSSEC extensions (which includes more "record types") being rolled out next month as well, there will potentially be a lot of broken infrastructure.

Here is what I want to see happen: Throw out DNS in favor of a cloud-based approach. Surely some of the technology surrounding the latest cloud-based computing initiatives can be applied to the basic underpinnings of the Internet. It would free the Internet from the tyranny of ICANN and every domain name registrar on the planet in the process. Registrars are expensive and greedy!

One of the things I also want to see go away is all the '.' nonsense. We need to stop thinking in terms of '.com'. It is only required because ICANN says so and they are constantly putting out new TLD extensions, which means defending a brand via the domain name system alone is nearly impossible unless you have millions of dollars burning a hole in your pocket. Most businesses know exactly what I mean.

Also, WHOIS needs to vanish. Under ICANN, correct WHOIS information is a requirement. Most people (mostly individuals) who register a domain do not realize that their personal information is being published to a publicly searchable, indexable database. Name, address, phone number, e-mail address. They might as well publish the person's social security number, a few bank accounts, and several credit cards in the process. Services have cropped up to replace public information and "privatize" it with other information. However, under ICANN rules, doing this effectively makes those companies have ownership of the domain! Plus you have to pay them extra beyond the cost of the domain. So you are paying someone else to own your domain for you so your information that should have been private in the first place is actually private...which doesn't make ANY sense. Public information in WHOIS is used by spammers, telemarketers, creepy stalkers, former employers, and competitors to harass and spy on both individuals and businesses. And who knows what governments do with the information! This invasion of privacy is completely unacceptable. On top of that, incorrect WHOIS information is grounds for letting someone else take your domain name. Wikipedia tries to give WHOIS a positive spin by saying that law enforcement benefits from this invasion of privacy. Great - so what is MY benefit?

I said before that the DNS system is old and crusty. So old in fact that it can't handle Unicode natively. Internationalization of domain names is done via a horrible hack known as Punycode. The hack takes the limited 37 allowed characters (a-z, 0-9, and the hyphen) in a domain name label and maps them to Unicode characters. On top of this, each domain name label is limited to 63 characters and the full domain name can't be longer than 253 characters. When you start talking international Unicode mappings, the 63 character limit starts to look more like 15 characters.

There needs to be a completely new system built that doesn't rely on ICANN, Network Solutions/Verisign or any other registrar, eliminates WHOIS, takes into account the fact that the Internet is international in nature, and that search engines are the primary means for finding most things these days. This is a task that some smart and creative open source software developers can take on.

Also, there needs to be a way for search engines to hook into this system to get a live feed of data. That would be a huge improvement over the scraping and crawling nature of the web. Google has made great strides in this regard with Sitemaps but I'd rather see this information being pushed to search engines instead of pulled. Pulling information is slow and error-prone. Pushed information can be formalized and result in live and/or near-immediate updates.

Also, this system needs to take into account internal networks, VPNs, and NATs. Maybe improve on the concepts somehow in a sort of Tor network/SSH tunnel way of doing things.

Being able to also declare temporary (optionally secured) resources on a network would be a great improvement over DNS. For example, if you want to send a 100MB file to someone - how do you do that now? E-mail? FTP?

As to the actual programming and implementation of this system, a Distributed Hash Table (DHT) approach would be a pretty good starting point. Obviously, since DNS has been around for a really long time, it will have the initial edge in terms of efficiency. However, if anything, Google has proven that cloud-based architectures are incredibly efficient and perhaps more than DNS is or ever will be. So a DHT or something similar has a pretty good chance of working rather well. Computers are staying mostly on these days, so there would be a massive network of nodes.

By the way, if this post doesn't seem well-thought-out, it is just a jumble of ideas that I want to get out there. Hopefully someone can take these ideas and create a legitimate open source product out of them. Everyone who owns a domain thinks that domains are expensive and that DNS is very confusing. DNS, ICANN, registrars, and the whole mess are in need of obsolescence. We need something better. Thankfully, search engines are already working toward making that possible.

Oh - and while you are at it creating this replacement system, feel free to obsolete the IETF in the process. They make spammers possible by ignoring the problem that SMTP represents. Redesigning the entire Internet infrastructure to handle future needs seems like something that the open source community could handle quite admirably and do better than formal organizations seem to be able to do.


  1. Well written. I had never given much thought to DNS, so thank you for enlightening me. It's astonishing how much the internet relies on these old and fundamentally flawed processes and technologies. It almost seems as though the internet needs to be re-written from scratch. I don't doubt though that the so-called "requirement" for backwards compatibility will cripple any significant enhancements in current-day technology.

  2. If we really need backward compatibility, most protocols usually have subtle loopholes built right into them that would allow for switching to another protocol - many times even in the same request. DNS is a bit harder than most other protocols because it is byte-packed for efficient transport. However, I suspect it would be possible even there to piggy-back a new protocol on top of the existing DNS infrastructure to create a whole new protocol. The key places to get this new protocol would be e-mail clients and web browsers - they seem to be more accepting than OS integration authors - but maybe the BIND team is up to the task. Once accepted, it would probably take another decade before we could finally shed DNS completely. But the effort would be worth it.

  3. It seems to me that a DHT in the cloud would turn DNS into the "wild west". Wouldn't it have to work like the old IRC nicks where you have to constantly be connected (or pay someone to be connected for you) and sit on the name you want in order to keep it? What about a net split, or worse, a DDoS attack that causes you to permanently lose the brand you've been building?

    A good distributed name system seems hard to police (which seems like what you're advocating).

    The distributed/P2P systems I can think of either are mostly anonymous or have a centralized authority. Torrents are mostly anonymous. Skype has an authority that makes sure no one can use my account. Even the Linux kernel source code, which uses the oss community's own distributed source code manager, git, has a centralized authority--Linus Torvalds.

    While I agree with you that DNS is old and crusty, there is a non-technical, political issue that overshadows it.

    I may just be thinking inside the box, but it seems like a new systems simply means a transfer of that power and not a remedy. Sure, you could fix the unicode and privacy issues, but you would still be left with only one or a few powerful entities holding the keys.

    I'm just thinking out loud as well.

  4. We seem to be headed to an era of search engines. If you want to get noticed, you need to get onto the front page of the search engine for the search results. DNS is becoming less and less important every day as a result. Google does weigh the domain name itself into its rankings but there are plenty of other factors. However, the important aspect is just getting found/noticed in the first place.

    There are a lot of political issues and eliminating DNS is a fairly complex thing to accomplish. This is why I want to see a group of open source developers form to see if we can figure out something entirely different and unique. Perhaps DNS is the best we can do but I seriously doubt it.

    Part of the problem as well is URLs. One of the first questions I asked myself was, "What do I type into my address bar?" Then I realized that the URL itself is integrated with DNS. If we get rid of DNS as it exists now and replace it with something else, URLs need to go as well or change so dramatically that they will look totally different.