Guest Column

In 2003, we celebrate the 20th anniversary of the Internet’s deployment and the creation of the domain name system (DNS). The commonly held view is that the DNS is merely a mechanism for translating host names to IP addresses. This view is too limited today, however, and will be completely wrong tomorrow.

Today’s application builders choose to use DNS as the application’s database or directory for scalability reasons. The most powerful aspect of the DNS scalability is its distribution of authority–sites or users that want to add to the database can, and only those that wish to use a particular DNS application need to configure the required data. At present, there are approximately 100 million separate domains.

The original DNS foundation contemplated extensions beyond name to address conversion: 65,536 types of data are allowed other than the one needed for addresses. The original 10 data types allowed DNS to keep track of its own organization and distribution, among other items. In the early 1990s, the growth of broadband networks and PCs led to DNS standards for dynamic update, adding this capability to the DNS, and enabling another generation of services.

Today, we are seeing the early adoption of three technologies, which seek to take advantage of DNS strengths and use new techniques to avoid its limitations:

Opportunistic encryption. DNS creates a name for every IP address, and that name can be used to store a key so that any two cooperating IP addresses can key and enable IPSec between the hosts, improving their security.

ENUM. IP telephony needs a way to associate IP addresses with phone numbers, as well as rules for what to do when a phone call rolls over to voice mail. The DNS has just the features needed to cope with adding a billion or so new data items, particularly with a well-structured space like phone numbers. The data fetched in ENUM queries is a miniprogram run in the requester’s environment, which localizes the response.

RFID tags. There are millions of these chips deployed today in the form of card keys or key fobs to open doors, even chips under the skin that uniquely identify cattle. The AutoID center has defined a method that maps the 100-bit number unique to their tags onto a domain name, and can be used to identify the manufacturer, part or even individual serial number. This will add tens or hundreds of billions of DNS names. The method uses special “programs” to compose the query.

If a database that scales to billions of identifiers scattered across millions of organizations is needed, an extension of the DNS for the function should be considered. DNS names and data are like the transistors on an integrated circuit–the challenge is to find new ways to use the almost limitless resource.

The two questions for the future are: what are the functions that might be added to the DNS to increase its capabilities even further, and what are the applications the functions might enable?

Securing the data returned by the DNS with digital signatures will enable the next wave of innovation. At present, the power of the two million or so DNS servers is compromised by the fact that if any of them is subverted or even owned by an attacker, it can serve false information to its clients and other servers.

A second needed innovation is a method for formalizing and extending the use of embedded “programs” in the DNS data to generate queries and responses, and make the DNS more “active,” building on the ideas pioneered by ENUM, RFID, and proprietary load-balancing schemes.

One possible application is a lightweight public-key infrastructure for every individual on the Internet. While not a total solution for spam and fraud, it would be a significant step forward.

DNS will not necessarily replace the other layers, but by 2005 there should be a DNS that is safer, 10 times larger, and does much more than today.

For more information from Nominum:
www.rsleads.com/310cn-255

Mockapetris is chief scientist at Nominum, Redwood City, Calif.