Draft OpenID v.Next Discovery working group charter
SitG Admin
sysadmin at shadowsinthegarden.com
Tue May 11 01:30:35 UTC 2010
> Formally, a query that gets a cache hit is the same as one that
>doesn't: It is a DNS query. The fact that the retrieval is
>successful at the local store (cache) simply does not affect the
>underlying model, no matter how many cross-net interactions with an
>actual DNS server it saves.
Understood, then. So; returning to your original question, I do not
know of any discovery mechanism *currently* under consideration,
though I *do* hope to write a Tor plugin and submit it for inclusion
once v.Next is well-formed enough that I can count on the specs in
place staying the same long enough to be worth working with.
Whether that would be considered *likely* to come under consideration
is a question I cannot answer.
>> Hmm . . . but *which* DNS system?
>
>There's more than one?
Sure! Even discounting a user's hosts file (handy for setting up test
servers) and corporate intranets that bounce a subset of users to an
address inside their firewall, the so-called "rogue" (because they
report different results) domain name servers cannot be assumed to
ALL have malicious intent; some of them might be providing an
internet that runs parallel to the Internet most people are familiar
with. Peer-to-peer DNS has also seen interesting ideas, and it's not
as if the centralized domain name servers would have automatically
become aware that such a thing was happening.
(Many of us, finding an open port that claimed to be running DNS,
might even think "accidental security hole" before we thought
"rogue"; a misconfiguration of an inadequately documented alternative
DNS might leave it claiming to be authorized by the same upstream
servers we *usually* see, and prior to DNSSEC was there really any
reliable way of noticing differences?
>> No domain names, or strings that look like domain names but *can't* be
>> looked up through the usual DNS?
>
>The latter exemplifies the distinction I cited, between name
>registration -- reserving a name from the namespace -- versus doing
>a query using the DNS protocol to a DNS server.
In both cases, starting (in one case, ending) with DNS; got it so
far. Could get confusing if some of the servers don't realize they're
issuing contradictory responses for the *same* namespace; again,
though, this is stepping outside of what is generally understood to
be "the real world".
(Could get very interesting as DNSSEC gains traction though!
Precedence shouldn't be a problem with everyone looking at the same
root servers (disputes settled that way), but one can easily imagine
two (or more) very large, long-entrenched DNS systems colliding
during the DNSSEC adoption, creating an irreconciliable conflict.)
Much more likely, though, that DNSSEC will help prove the lack of any
such things :)
-Shade
More information about the specs
mailing list