Let's drain the domain name swamp

Saturday, 12 November, Year 8 d.Tr. | Author: Mircea Popescu

For many years I was hiring namecheap.com to do nothing whatsoeveri for me wrt various domain names I hold (and don't want). Then they decided to "upgrade" their website, because this is somehow how bullshit leech services work, it's not enough to get money for nothing, you gotta also break the process flow of the unfortunate victims.

Needless to say I didn't stand for it, and so a decade+ parasite relationship ended on January 27th 2014 over "website upgrades". Don't let anyone ever tell you that upgrading won't have an effect on your bottom line. It will. It does like it did here.

Also needless to say, the new registrar, Internetbs.net decided to change its payment processing. Because bait and switch is now a legitimate approach to business, I make an account because you support Bitcoin payments, then you discontinue processing Bitcoin "for legal reasons" and that's it, I'm going to move to fucking wires now. Apparently that's how things work in these idiots' heads, I'm not married to Bitcoin and will consider a shoeshine like Internetbs. Oh no, on the contrary - I'm married to Internetbs. They're that important, I care that deeply about a set of fucking leeches that have no reason to exist in the first place.

So I moved again, November 11th 2016. First I tried gandi.net, because all the kids seem to like them for some reason. That yielded

Me: Your prices are ridiculous ? 17.28 to renew .biz vs 10.83 everywhere else ? 15 for .eu ? I'm getting that for 5.96 currently. .com .net 15 each ? Is this some kind of a joke that's funny in your culture ?

Dante Customer support: Hello

Me: aha

Dante Customer support: The current pricing reflects our cost of registration and services

Me: so basically you're a joke registrar that can't price competiively ?

Dante Customer support: There is nothing I can do regarding our pricing. I would advise going with the lower cost competitor if you're unsatisfied with our costs. Keep in mind that lower cost come with a lower service level usually

Me: nice knowing ya.

Services! Fucking imagine this, the title deed company is offering me free cookies that I could have bought for a quarter myself at the fast food joint next door, admitting quia absurdum that I'd actually want either to obtain such cookies or to pay such cookie producers anything. In their broken heads this apparently works, I'll pay $2`500 for a bill worth $1`200 because an unemployable dicklet told me the former comes with "a higher level of services". This is America, you understand, and it doesn't belong on the map.

I'm currently using namesilo.com, but as someone aptly observed "give it a year or two". Obviously.

So how about we actually drain the dns swamp ? Set up a Republican dns server, let people register domains - any domains, including whitehouse.org and random.arbitrary - for a Bitcent or whatever and that's that. Can use the current dns format for feeding data so people can just drop-in replace their current dns servers with ours. Can have an automated admin interface direct to the server so you can update anything at any time with a signed pgpgram and that's the end of the story.

No, you don't need "dnssec", nor does it work. No you don't need all the bullshit they make up about how great their "dns server infrastructure" is, a single machine will suffice for a long time ; and once it doesn't replicating the whole current dns set-up costs a few thousand not a few million. Yes it's "oh so important" as they keep bleating, but only because it's pointlessly and irresponsibly a single point of failure.

Republican dns. Today. Who's doing it ?

———
  1. Please see the linked discussion of Torrens title and understand what's going on. The US has a fundamentally broken way of doing things. All things. AML/KYC is stupid, spending hours for no reason at the airport is stupid, feeding a bunch of leeches in order to real estate is stupid.

    However, just because the USians are fundamentally broken in the fucking head doesn't mean anyone else is supposed, or may, implement the end products of their stupidity. Let's make America forgotten again, shall we ? []

Category: Bitcoin
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

25 Responses

  1. DDOS magnet.

  2. Framedragger`s avatar
    2
    Framedragger 
    Saturday, 12 November 2016

    Stanislav Datskovskiy: Simplistic anti-DDoS would be, say, a whitelist of client IP addresses?..

    Mircea Popescu: So just how incompatible with the vanilla DNS would this be, in terms of contents / entries? I assume you imagined this to be completely distinct from the internet's current network of DNS servers? Ideally a client should be able to resolve whitehouse.gov using this or the default DNS server set, but I guess this would be up to the client to do (cue MP: "if you want to do stupid, nobody's gonna object, but don't expect any help [from the server-side of things]")? Symlinking resolver.conf on the client's system to whichever set of servers is currently preferred is one simplistic way, I guess (give or take the need to flush DNS cache).

  3. Framedragger: a single-box+public-ip item is a candidate for shitflooding. Filters will make 0 difference.

  4. Framedragger`s avatar
    4
    Framedragger 
    Saturday, 12 November 2016

    Stanislav: you mean a flood a layer below that of DNS, I suppose? (Say, classical SYNflood).

  5. Framedragger: the usual UDP DDOS. (And on a DNS server you could not even apply mircea_popescu's traditional pill of blocking UDP upstream..)

  6. Mircea Popescu`s avatar
    6
    Mircea Popescu 
    Saturday, 12 November 2016

    @Framedragger It would be entirely compatible from the client pov (ie, data formatting), I expect, exactly for the reason given : a client should be able to resolve names via this or that as his preference dictates.

    It would be entirely incompatible from an actual data pov : unless Apple somehow magically smartens up, registers a key and uses it to register apple.com, they aren't going to own apple.com.

    @Stanislav Datskovskiy If/when floods become a thing you get a new box.

    This is a vastly overstated concern, from experience.

  7. мимокрокодил`s avatar
    7
    мимокрокодил 
    Saturday, 12 November 2016

    Any opinions on https://www.opennicproject.org/ ?

  8. Framedragger`s avatar
    8
    Framedragger 
    Sunday, 13 November 2016

    @MP Right. More of a jurisdictional question, then: in your view, should a holder of any key (in deedbot's WoT?) be able to register any domain? Would it perhaps make sense to restrict a specific TLD (e.g. .tmsr) so that second-level domains under the TLD in question could only be registered if (say) the registration request was signed by >= $min_num keys in WoT L1?

    To make it more particular, say someone with a valid GPG key rushes to register trilema.com in the Republican DNS before yourself. I suppose that is all well and good, and you negrating the key would only be appropriate in the instance of that person pretending that they are MP?

  9. Mircea Popescu`s avatar
    9
    Mircea Popescu 
    Sunday, 13 November 2016

    I imagine like any serious country, we first handle the claims of the elite privately.

    In practical terms, da fuck, I'm not going to support a dns system where some dork registered trilema ; and easier and faster than forcing me to sideline one and spin up a competitor would simply be to not allow the nonsense from the get-go.

  10. Mircea Popescu`s avatar
    10
    Mircea Popescu 
    Sunday, 13 November 2016

    @мимокрокодил Your comment ended up in the clutches of the antispam system, sorry about that.

    I have no idea what "open" or "democratic" means, but I don't see who's in charge of it nor are they registered with deedbot, and so opennicproject doesn't in any sense exist in this world.

  11. Framedragger`s avatar
    11
    Framedragger 
    Monday, 14 November 2016

    Some possibly disorganized comments, may be useful:

    The way DNS and currently available DNS servers work suggests to me that it would be more prudent to pick a (set of) TLD(s), and run a Republican DNS Root for those TLDs only. Note, this could very well be ".com", ".gov", etc. - I am not suggesting some kind of consensus compatibility attempt with Reich DNS Root.

    The whole system is supposed to be hierarchical in terms of control of top-level -> second-level -> ... -> n-th level domains. Furthermore, having a root zone file which may change every minute (someone registers a ".cocks" TLD, etc.) means more of a single point of failure in terms of everything relying on a root DNS server (vs. being able to cache to additional servers, and no need to keep root zone file up to date to the last minute).

    I may be overcomplicating my own thoughts though, especially as regards the latter ("scale it when it comes time to scale it, kid"), and may be out of my element. Interesting problem.

  12. Mircea Popescu`s avatar
    12
    Mircea Popescu 
    Monday, 14 November 2016

    I don't give a shit what the idiots do. Any string is any string.

    I don't give a shit what the idiots do. Any string is any string.

    So... myeah.

  13. Framedragger`s avatar
    13
    Framedragger 
    Monday, 14 November 2016

    That's great, but to have an "any string" infrastructure whereby, among other things, "trilema.com" would not be owned (in terms of control of DNS zone) by owner of ".com" may require non-trivial modifications of existing DNS server software. But maybe someone knows better.

  14. Mircea Popescu`s avatar
    14
    Mircea Popescu 
    Monday, 14 November 2016

    The obvious solution to this problem is to allow registration of "fuckgoats" but not of ".fuckgoats", and so if nobody can register "tld"s the problem's gone.

  15. Framedragger`s avatar
    15
    Framedragger 
    Monday, 14 November 2016

    Some notes - if anyone picks up the torch, these may be of some use - correct me if I'm not making sense, or got it wrong:

    1. The general idea is to offer, from the point of view of DNS, an alternative ("the") DNS Root - or, in more general terms, a general internet name system. The "D" in DNS may be a bit confusing, as domains are traditionally to do with, well, domains of authority ("realm of administrative autonomy"), and the Republican system would be more akin to a (WoT-protected) key-value store, I think.

    2. This key-value store, update-able via PGP-signed messages, should ideally be compatible with the transport part of current DNS (a DNS client should ideally be able to send a normal DNS Question to the store, and get a normal DNS Answer). Note, the bulk of the current DNS complexity is (for obvious reasons) in the whole extended administrative-realms/delegation/storage system (plus DNS extensions, etc.) The transport is relatively straightforward. Note also that caching of key-value data structures with clear TTLs should be simple enough; there are no sessions between DNS clients and servers; and interchange can take place over simple datagrams; all of these allow for elegant infrastructure; the latter could in principle be serviced by a future gossipd.

    3. Checking DNS packets in the open is a simple matter of starting a Wireshark capture session on your NIC, and filtering on DNS (filter rule "port 53"). It'll show the datagram envelopes as well as the internal DNS question/answer structures nicely.

    4. For quickly prototyping things, it may make sense to use a DNS parser library, possibly with a built-in server, e.g. dnslib for Python. (Install; do e.g. `python -m dnslib.fixedresolver --port 20000`, and then on the same machine `nslookup -port=20000 somestring localhost`). There's a client, an interception+proxy example that you can subclass, etc.

    5. Some browsers/systems (e.g. Windows resolver) may, if requested to resolve "something", add the Windows domain TLD to make it into a FQDN (e.g. something.home). This sucks. Easiest way to avoid this is to instead resolve "something.", which in DNS land is the "proper" string anyway ("." terminates the "field").

    6. Should strings of any length be allowed for registration? Some options here, etc.

  16. Mircea Popescu`s avatar
    16
    Mircea Popescu 
    Monday, 14 November 2016

    1. General Name System works. It's not limited to the Internet, just because it's principally queried over the net.

    It would in principle solve pretty neatly the problem of "who REALLY is LordHurr on Facebook/Linkedin/whatever" just as well as it solved the problem of "what IP is that google.com".

    2. No I'm aware transport's the easy part. That's why we're keeping it. The rest has no reason to exist. Also why the comment in article, "replicating the whole current dns set-up costs a few thousand not a few million".

    3-4. Sure.

    5. Broken clients are really not our concern. As we speak, at this very moment, an aged girly somewhere is "rejecting" a generous offer of perfectly serviceable cock because she's too busy being Lisa Kudrow. I'm not rewriting her software for her, either.

    6. No.

  17. Framedragger`s avatar
    17
    Framedragger 
    Monday, 14 November 2016

    Re: 5., fair enough, but just so you know, that my very well include all of Windows. (I'm not sure.) Just to keep in mind. But, yeah.

  18. Mircea Popescu`s avatar
    18
    Mircea Popescu 
    Monday, 14 November 2016

    It also includes all of greco-roman antiquity.

  19. Framedragger`s avatar
    19
    Framedragger 
    Monday, 14 November 2016

    Oh, also, what about subdomain ownership/control (or in GNS terms, I guess, substring prefixes, or something like that)? If I buy cocks.com and want sucking.cocks.com to point somewhere, do I need to purchase another name? Or if I buy cocks.com do I in effect have wildcard control of *.cocks.com (.cocks.com. in DNS terms, I guess)?

  20. Mircea Popescu`s avatar
    20
    Mircea Popescu 
    Monday, 14 November 2016

    If you want the name server to return IP x for string "cocks.com" you then register the string "cocks.com" with IP x. If you want the name server to return IP y for "sucking.cocks.com" you then register the string "sucking.cocks.com" with IP y.

    Whether GNS enforces a rule saying that "all longer strings must be registered by the owner of the shorter string that regexp matches it" is an absurd question - of course fucking not. Whether GNS enforces a rule saying that "all longer strings must be registered by the owner of the shorter string that php-substr matches it" is an even more braindamaged statement of the same concept, and the fact that this is how dear empire found in its wisdom to have things work speaks of the terminal braindeadedness of said empire, not to the merit of the scheme.

    If you want to register mp-is-an-idiot.trilema.com you should be able to. If it is a subdomain mentally, it probably should be a subdomain notationally also.

  21. Framedragger`s avatar
    21
    Framedragger 
    Tuesday, 15 November 2016

    MP: Okay, gotcha, I think. Makes sense. (I would object to the notion that the domain/subdomain is completely braindead - in classical DNS, a domain is a "realm", a distinct namespace controlled by the owner of the realm. The FQDN concept is quite useful. But not going to argue any further regarding this. And aware that the "distinct realm" concept may not be quite... tenable.)

    By the way, given that, supposedly, the current DNS protocol is to be honoured to a point, each unique string would, I imagine, map to a key-value map of its own: record type -> value ("A" -> IP address, "MX" -> mail server address, etc.) Overall this, this makes for an elegant scheme overall.

  22. Mircea Popescu`s avatar
    22
    Mircea Popescu 
    Tuesday, 15 November 2016

    Pretty much. I'm not entirely sure how many of the numerous types of extant dns crapolade should be kept, for which reason I expect the choice should be passed on to the user. Suppose the owner of domain "google.com" is free to register responses for types "A", "MX", as well as "witches" and "dragons" or whatever else arbitrary nonsense he comes up with.

  23. Framedragger`s avatar
    23
    Framedragger 
    Tuesday, 15 November 2016

    Yes, was thinking the same. Two more nuances to note, for posterity - apologies if this is getting to be redundant:

    1) A name may have more than one record of the same record type (for redundancy / load balancing purposes, e.g. multiple mail servers, front-side web servers, etc.)

    2) I suppose the scheme as envisioned here would create a GNS such that there would be no "delegated nameservers", etc. (Then again, if the client wanted to have that and interpreted a record to designate such, that's all well and good.) An initial GNS would handle registration as well as DNS-record-keeping, all in one.

  24. Mircea Popescu`s avatar
    24
    Mircea Popescu 
    Tuesday, 15 November 2016

    Yeah, domain names are unique, records however needn't be. I suppose the way this works is that it'll charge per-record (update or creation, no difference) as opposed to "per year" or whatever nonsense.

    It's quite obvious that client-facing "delegation" is a kludge. Let the dns servers handle the delegation themselves as is right and proper, the client has no business being involved.

  1. [...] amply chronicled elsewhere, DNS is a steaming heap of imperial dung. At 7:27 PM my time, Lord mod6 and shinohai kindly brought [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.