Draft OpenID v.Next Discovery working group charter

SitG Admin sysadmin at shadowsinthegarden.com
Tue May 11 01:30:35 UTC 2010 

>   Formally, a query that gets a cache hit is the same as one that 
>doesn't:  It is a DNS query.  The fact that the retrieval is 
>successful at the local store (cache) simply does not affect the 
>underlying model, no matter how many cross-net interactions with an 
>actual DNS server it saves.

Understood, then. So; returning to your original question, I do not 
know of any discovery mechanism *currently* under consideration, 
though I *do* hope to write a Tor plugin and submit it for inclusion 
once v.Next is well-formed enough that I can count on the specs in 
place staying the same long enough to be worth working with.

Whether that would be considered *likely* to come under consideration 
is a question I cannot answer.

>>  Hmm . . . but *which* DNS system?
>
>There's more than one?

Sure! Even discounting a user's hosts file (handy for setting up test 
servers) and corporate intranets that bounce a subset of users to an 
address inside their firewall, the so-called "rogue" (because they 
report different results) domain name servers cannot be assumed to 
ALL have malicious intent; some of them might be providing an 
internet that runs parallel to the Internet most people are familiar 
with. Peer-to-peer DNS has also seen interesting ideas, and it's not 
as if the centralized domain name servers would have automatically 
become aware that such a thing was happening.

(Many of us, finding an open port that claimed to be running DNS, 
might even think "accidental security hole" before we thought 
"rogue"; a misconfiguration of an inadequately documented alternative 
DNS might leave it claiming to be authorized by the same upstream 
servers we *usually* see, and prior to DNSSEC was there really any 
reliable way of noticing differences?

>>  No domain names, or strings that look like domain names but *can't* be
>>  looked up through the usual DNS?
>
>The latter exemplifies the distinction I cited, between name 
>registration -- reserving a name from the namespace -- versus doing 
>a query using the DNS protocol to a DNS server.

In both cases, starting (in one case, ending) with DNS; got it so 
far. Could get confusing if some of the servers don't realize they're 
issuing contradictory responses for the *same* namespace; again, 
though, this is stepping outside of what is generally understood to 
be "the real world".

(Could get very interesting as DNSSEC gains traction though! 
Precedence shouldn't be a problem with everyone looking at the same 
root servers (disputes settled that way), but one can easily imagine 
two (or more) very large, long-entrenched DNS systems colliding 
during the DNSSEC adoption, creating an irreconciliable conflict.) 
Much more likely, though, that DNSSEC will help prove the lack of any 
such things :)

-Shade

More information about the specs mailing list