Re: [TUHS] off-topic list

[Tony Finch <dot@dotat.at>]

Noel Chiappa <jnc@mercury.lcs.mit.edu> wrote:
>
> It's perhaps worth noting that today's DNS is somewhat different from the
> original; some fairly substantial changes were made early on (although maybe
> it was just in the security, I don't quite recall).

The key early changes were described in RFC 973 (1986): bigger TTLs,
MX records, CNAME and wildcard clarifications.

Next, I think, was NOTIFY / IXFR / UPDATE in 1996/7 which made the whole
system (potentially) a lot more dynamic.

RFC 2181 (also 1997) is important because it includes the standardized
pre-DNSSEC answer to the 1990s cache poisoning attacks found by Bellovin
and others. (Though I think a lot of this was put in place well before the
RFC was published.) This greatly restricted the gossip protocol aspect of
the DNS (records in the additional section).

There was a lot of churn related to IPv6 easy renumbering, which has all
been thrown away apart from DNAME.

There was also a lot of churn around DNSSEC, going right back into the
1990s, which finally settled on what we have now by about 2008. Along the
way they discovered a lot more unclarified edge cases in things like
wildcards. DNSSEC turned the DNS into a somewhat half-arsed PKI. It could
also allow implementations to bring back gossip, though there are
performance and packet size constraints that make it tricky.

The half-arsedness of DNSSEC is mostly related to the administrative
aspects of registrations and transfers and so forth, which are frequently
not very confidence-inspiring. Some of this is due to the way EPP works
(and its predecessor the registry-registrar protocol), but it's mostly
because there's no standard interface between domain owners, DNS
operators, and registrars. (And registrars don't want one because it would
commoditize them. There's probably a David Clark-style Tussle in
Cyberspace case study in here somewhere.)

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
work to the benefit of all