 It's got some other rewesses on it. Maybe they saved it. I don't know. Always confused me. Okay. I guess we're ready. This is a talk on basically what is DNS. Then we're going to talk about alternate routes and controversy. They're in. The talk changed a lot a few days ago because ICANN came out with a rather obnoxious paper. And they seem to be moving down a road very fast that kind of changed the talk. So I'm going to go over DNS real fast and at about 80,000 feet. So we get terms like root server and cache down. And then we're going to move ahead to talk about alternate routes, what some of the ICANN decisions mean, some confusions that happen with trademark and that are being made to happen on purpose with trademark by some intellectual property concerns in ICANN. And then we'll try to talk about where we can go from there. So start right off. Smack into DNS. You've got a browser or something and you look something up. What happens? You go to a page. So let's say you look up DEFCON. First thing that happens is your machine queries a local caching name server. That's a little box that says DNS server. It's going to go there. It basically, I can get into a lot more detail, but it basically asks for the IP. And it gets back a record and response that gives it that. DNS is a big distributed database of information and you're just asking it for an answer. The cache server then checks to see if it's already got it. Then if it doesn't, it goes upstream, taps a root server. A root server is something that I can ask, who's got www.defcon.org? Who's got that information? Technically speaking, the root server should respond just with who's authority for org. But the current root servers blur that line a little bit and do top level domains as well. So they're going to respond, who's got org and who's got defcon.org. There's the response you might see there. It actually wouldn't look like that. But that's a response you could get out of a program that would show you what the roots told you. Yeah. Anyway, it'll recurse to a certain level. It'll give you as much response as it can. Most name servers ask, the caching servers ask for full recursion to try to get an answer as fast as possible. That means they ask for the whole thing, not just part of it. The cache server goes to one of the listed name servers from that list, gets the answer, spits it back to your machine. Okay, that's DNS. I hope I made that clear. Now we get into the real meat of the talk is about ICANN, about what is the root? What can we do about the root? Because the root presents certain technical and political problems. And where can we go from there? ICANN is the Internet Corporation for Assigned Names and Numbers. One guy used to do everything that it now does. It is huge. The org chart I saw put up at a conference once on a screen about four times the size you couldn't read any of the boxes in it. It's monstrous. ICANN is basically making decisions about what we're going to be doing with top level domains, IP allocation, when you move to IPv6 on some of the backbones and things like that. They're very significant in what happens with the net. They're also totally loaded down with special interests. And they have official committees built of special interests who have official roles. That URL up there just came out not very long ago. It's the result of an ICANN board meeting in Japan. I recommend you read that. It's awfully spooky what it says. What it basically says is we're moving forward and releasing new top level domains. In fact, although you guys may not have known it, the deadline is August 1st to submit a new top level domain. They can come in from new registries. You can say, I want to be a registry. I want a top level domain or existing ones. If they accept it, it will cost you $50,000 to start it up. So obviously there aren't going to be many bit players in this game. This isn't for discussion. This has already been discussed. This is what's happening. Under discussion is a provision called sunrise or sunrise plus 20. Now that's been rolled into this proposal for new top level domains. And it basically came as a compromise, so to speak, from the intellectual property concerns. They say it's a reasonable compromise between their interests and the need for new top level domains. What is sunrise plus 20? Basically it means that if I've got a registered trademark and you start up a top level domain, you've got to hold my name for me for 20 days so I can at least get the first crack at it. Well, this doesn't do a whole lot for the usefulness of top level domains. If IBM is going to have IBM dot bakery and IBM dot banana and IBM anything else in the top level, it's sort of meaningless. ICANN as well will be operating the route. They will be operating a super route, a master route that all the other routes will feed off of. So I'll get any question about whether you can get out of the sunrise plus 20. The answer is no, because they're not going to let you add into your zone. They will block it, anything that shouldn't be there because IBM or whoever has 20 days to buy it should be spooky. A lot of people confuse root DNS and top level DNS, TLDs, partly because currently the current routes have both. They've got comnet or GDU and they're also root for comnet or GDU and all the two level, two letter domains and really everything else that you can get to on the internet unless you're using some other root name service. So to use another top level domain that they don't have, you've got to not use the top level name service and not use the root. That means not using ICANN's root. So for example, there are problems with the whole sunrise provision and this is a good example of it. Ajax, this is a real example. At least you think you have. Ajax.com you'd think probably is owned by Colgate Pomalov. It's for their cleaner. That's true. Unfortunately, if you give the trademark holder the first crack at a new name and a new top level domain, it causes some problems because Ajax has a lot of registered trademarks from different companies. So we should get it. There's Ajax football. They're Ajax.nl right now. Ajax, which is a town. Ajax, right. And actually this was just about three minutes worth of searching. There are a lot more. It's a very common name. I think Sophocles probably has the right to it first. But I don't know whose current errors are and the rights are probably gone. So the issues are actually kind of thick and yet the intellectual property concerns, who perfectly well know that this is an issue, are nevertheless talking about right of first refusal. And this is for any registered trademark holder. It would be a big difference if it wasn't for just any registered trademark holder, but for holders of what are called, well let's just call them strong trademarks. There was a provision put into the law recently that gives them extra protection. It really just reflected some court decisions that said there are some names that are so well known and so odd that really you just can't use them anywhere without causing confusion because people will think it's the company. A pretty classic example is like Chrysler. You probably wouldn't find a Chrysler bakery without thinking about the car company. But those names are entitled to some special protection, but there aren't many of them. Now what this does is it gives them all preemptive strike, if it was just for them, on the domain names, but it's not. It's all trademarks. So this is effectively a total overkill of the trademark system. So let me move forward a little. So you can see odd things happening with this system that just don't make any sense and yet these companies have a preemptive right to it if the sunrise provision actually becomes part of the final charter. It don't make any sense at all, to me. Okay, we're going to get into another idea is the local virtual route which is a lot of companies already have something like this. A large company has a three letter, eight letter or whatever internal top level domain. So for example, you might have the foo company and you have dot foo as your top level domain. For internal use only, you run a little root name service on the inside. It mirrors everything, the soon to be ICANN root does. So you can reach everything in the world, but you also reach foo. This allows people to type in just one name without the dots and be pretty assured of getting the correct server. It also helps you distinguish between inside and outside. Because on the inside if you try to hit mail, you hit the inside mail server mail dot foo. On the outside we'll hit mail dot foo dot com or whatever. So there's great uses for it and a lot of large companies use it. Some of them have monstrous networks built around this stuff. You can imagine if one of the new external top level domains that somebody talks through ICANN is dot foo. This company is going to have some problems, particularly because they won't own the whole thing anymore. So they've got to create a difference between the inside and the outside anyway there and actually filter, which is going to be a real pain for them. The proposal ICANN has to take none of this into account. That's real world stuff. So flip through this, I'm moving too fast. OK, so ICANN is really just afraid about squatting ultimately. That's the big eek end all. On the other hand, as you can see, GM can grab GM dot foo and general muffins incorporated might get squeezed out of it and have to pay GM for the right to get it because GM has the right to buy it under this provision, which is very odd because under the normal trademark law GM, the car company never would have been able to do that. Moreover, if they're afraid of someone squatting on it or using their name in a manner that confuses the public, they have remedy already in the courts and they could have gone to the courts afterwards through the person. If the person wasn't worth any money, they'd still get the name back and stop the person from using it. They were actually using it. So what this has given them is a preemptive strike that doesn't exist in the law. That's rather odd. So the question in the past, again, was not would the name confuse the public, which is what the question is now, but has the name confused the public and then they have a remedy to it and the motto is at law, where there's a right there has to be a remedy, but the remedy is in civil law except in rare circumstances or always after the fact. You just can't stop someone from doing that. That's not just in the US, it's in a lot of places. So the ICANN proposal just goes way overboard. In fact, there are examples in common everyday life where this kind of situation happens all the time now without needing preemptive strikes. It happens in the phone book where the phone company is not held responsible for a misleading ad in the phone book, but they can be ordered by the court after someone sues the party who's probably worth $12 into the ground and they can be made to not run that ad next time. Of course, the phone book lasts for a whole year and yet this has not put any large corporations out of business. So the damage is even greater there and it takes a full year for those phone books to basically more or less go out of circulation where it could take an hour after the court decision on the net or figure four days when all the time to lives go. So it happens with 800 numbers. It happens with your local sign maker. You have the right to walk into a car painting stop, so say anybody's neighborhood car painting joint with a white van and have a nice AT&T logo painted on the side. You can do that. No one can stop them from doing it. AT&T can't call ahead and say, no, no, no, don't paint that on the side. You can't do it. You can drive down the street and go into alleys and start climbing up holes and things. At that point, AT&T probably has the right to stop you, but until you've done something that confuses the public or defraud somebody, they don't have the right to stop you. So the other question that stress raises when moving to fraud is why are the trademark interests getting so much power in the new domain name system? And I don't mean as opposed to you and me. I mean, what about the libel interests? You know, I mean, I would be upset if there was a www.mikeshare, you know, has sex with goats on the weekends.com. I really would. But I have no right to preemptively stop that. I do have a right to stop it as libel after the fact. And what about criminal utterances? www.theholocaustneverhappen.com is completely fine here, but is a criminal offense in Germany? No right to stop that in advance. So why do trademarks get this special protection? When in fact, you know, libel is very harmful to someone in a direct way, criminal offenses are considered pretty serious because that's why they're criminal. And yet there's no preemptive strike for those. So you have to think about what's going on in ICANN with the intellectual property concerns that they have so much about biting it. Well, they say they're compromising. I think the confusion is over words. We all think that trademarks are in words, but they're not in words. They're in certain uses of certain strings of letters and shapes and colors and symbols in certain circumstances in certain lines of business. Again, it's a very rare or strong mark that can overflow its riverbanks and get into other areas of business. Otherwise they can't. They shouldn't. This will allow them to do that. So we take it a little different. Let's take our internal top level domain at Foo Company. And let's stick it outside the company's firewalls. And we'll run it on, let's assume, something that not too many people will break into this week. And so we do that. And we put it out there maybe for our vendors so they can get at our internal namespace without, I don't know if any of you have run a VPN around a firewall with internal namespace. It's health. It's a real pain in the butt. So put it out there so they can tap it. They just add that to their list when they're in the VPN thing. They get a number over DHCP. They go to that server on the outside and they get routed all nice and happy and they get the right names. But when do we put it out there for everybody? Well, like Microsoft runs Microsoft Usenet news groups that don't exist in the regular Usenet distribution space. You have to tap their news server for it. Same thing with this. We could run a namespace that certain people tap when they run maybe some of our software, maybe on purpose. Think about it. We could actually do some interesting stuff with it. We could. This has been up there for you to watch for a while. You run a filter service on it. You won't get to certain domains that you don't like because you won't. You could subscribe to an ISP that basically does that and then your kids can't go to certain places by name. Maybe it's whole countries you don't want them getting to. This would be great for China. But they can already do this, of course. Maybe you need to give faster name service response. That's certainly a possibility. Learning a local route basically means you don't go flying out to the regular routes very much. And you cache everything the route has locally so you don't go out there for anything just about. Except for top level name services, the routes in top level name service are blurred right now. You can create useful namespaces. You can get specific with stuff. This is where it gets interesting because IBM.com, you could always have pcs.ibm.com and mainframes.ibm.com or you could have mainframes.ibm. It's a flattening of the namespace in some respects. But in other respects, that becomes very useful because if you say I'm switching over to the IBM Dominion and I want PCs and mainframes and so on, it's very trivial to write software that does the right thing with that as opposed to having to use a regular name service system. So now we have the fear and certainty and doubt stuff that people are talking about with doing this. And this is pretty straightforward things. Somebody's going to come out with an alternate.com. Oh my God. Okay. Who's going to use it? Right. Route zones are monstrous. Route name servers require massive systems and the traffic is intense. That's because you're serving the entire Internet. If you have one that's serving your 20,000 ISP customers, you're not going to have it melt. Trademark violations will run rampant. They'll run rampant anyway because I can register Kodak.fujie.nobisco.mikeshare.com Right. I can So putting that out on the net, I can put it into web pages. I can put in my Usenet post. The name will go everywhere. That is about as much effective confusion as Kodak.mic. And yet Kodak.mic would be preempted and me using the existing system to build something very odd. It wouldn't. And trademark violations will get prosecuted as they are known. Civil court, people will sue and people will be shut down. It's very boring. These are real concerns here. Flattening the namespace. We were talking about that. We get names and instead of being hierarchical are kind of flat. We got a .idm and a .microsoft and a .everything else something more hierarchical. The current existing namespace is that right now you just slash off the .com or the .net and you've got that. Because .com and more differences have been not enforced for over four years. So it's a flat namespace now. There's just a .com on the end of it. So will this flatten it anymore? I don't think so. I do think it's a concern but I think that if the namespace goes to get flattened and we're already seeing this happen, meta-search indexes will start being built. Already it used to be if you had a domain name just without the .com and without the machine name into your browser window it would start searching machine names. Kind of attack on the com, attack on the .net, attack on your local domain, whatever. But now actually they kick you off to search engines half the time, depending on the browser you're using. So there's already a sense that people really just want to be able to describe what they want to get to and go there. I expect that will continue to be the case. If I want to get to it, I'm not probably going to type IBM.com because I think I know what IBM the machine maker is. On the other hand if I want to get to it I should be able to type IBM if that's what the company goes by, bagel space food and not have pages about computers come up in my face. So you need a meta-search that gives you best answers. I think that's going to come. Another real problem is transparent proxies. If you've got DSL from I think it's southwest bell you're going through an HTTP proxy even though you don't realize it. It's caching. It is there to keep your bandwidth costs cheap. That's why DSL is cheap. It's massively oversold in most places but you get pretty good response because they have massive caches making most of the traffic not really hit their internet pipe. Unfortunately that caching proxy has to do a name service lookup and it may not be using the route that you think you're using if you go to multiple routes. So you'll lose all those alternate domains. The thing that you may see in the future though is that these companies will start running services where you can set up your software and you'll pick the route you want to use. Maybe you can switch it on the fly. That would be kind of neat. And then finally you need to regularly update the local virtual route. So suppose I should dig into what I mean by a local virtual route. I mean you take root name service from various places and combine them in an intelligent way so you don't have overlap. So I want .web which is sort of an existence now. I want .buff there's a feather not for a BLFH and some other root things. I want to combine them in an intelligent way and in case there's overlap between top level domains in them I want to pick which one I want to win out when I do my searches. So I can do that build this root zone file on my local caching name server and it becomes a local root name server. And that's it and I built a virtual route on it. It's very simple. Companies do it all the time. I've got one running at home it's not very exciting. I do it at home basically because I don't want to go to certain sites mostly advertising sites. I seem to pop up on my screen a lot and I want that to get turned around to to my machine where I policy route it into something that gives me a little 4k smiley face instead of the ad. And I can do that. I can do that very easily. So when you start building this the top level conflicts don't really matter so much unless you're using an old name server software where the glue could get poisoned or could cause poisoning. Unless you shift your view and name space on the fly by jumping from root to root if you clear the cache and if you're using just a client you can do that almost instantly rather than having your root name server jump around. And it cuts down on external DNS related traffic which really is very small anyway that it is a benefit. So the question is how to do it. One of the problems right now is bind comes with the zone file for root a root hints file. It comes with it nobody is really told who sets it up that you just bought into the legacy root. That's funny because there are in existence other roots. They're not big but they're there and you could jump through them. You cannot combine roots in bind's hint file. If you do you get bad answers. You get no such domain when there is such a domain in one of your root servers you've got listed in there. So you've got to build a super root to do it with bind. Bernstein's DNS cache now djbdns lets you do it a little more easily on the fly. On the other hand you can do it just like you do with bind and build a virtual root. So really most of the people I've talked to which includes Aurobok and Bernstein think that the way to go with this is to write a simple protocol that's very flexible for your roots down they can be PGP signed and you can actually start updating the list of root servers in that zone off the PGP signed content. So you no longer have the problem of old machines with old hints file going to DNS root servers that no longer exist which make them slow. The upshot then is that you get all your personal wants and desires or your company's personal wants and desires into the system and you can jump it around if you are an ISP you could run four or five different virtual roots on one box different IP for each and serve different interest of your clients and it's very straightforward. So some of the references are existing alternate roots that are out there and these are all super roots although I think the way to go is to build them locally to increase speed. These are just proof of concepts. One is the open root server coalition. They run a lot of weird domain names and they're kind of a in some respects a land grab and they'd like to see the namespace get flattened for the same reasons I would because it's really silly if it doesn't and I used to be quite against it and the internet namespace consortium which actually holds no top level which serves as a super root and gives access to a lot of other domain name registrars that are non-official. So the thing you should be aware of though is that ICANN is moving ahead rather quickly with this plan and they're going to put out some new domain names real soon. One of the suggested ones is bank.banc which almost makes sense. It segregates a portion of the commerce market into a name that makes some sense. Currently IBM is going to get the right to buy IBM bank before anybody else and Chrysler is going to get Chrysler bank and so on. So it once again doesn't make sense and it results in a flattening of the namespace and you wonder why they're doing it. Right in the sunrise provision though is still up in the air and it would apply to all new domains so it would be interesting to see how that works out. It's supposed to work like that against sunrises up in the air. In the back there are local doing business names, right? No, no I don't. After the trademark holders get their 20-day whack at it, it becomes a land grab what they're talking about. The... Well, there's almost the same thing as just a national trademark anymore that trademark treaties that make it fairly international. It is international trademark law they're looking at and they're trying to focus in on various countries that have a lot of commercial interest basically to find out exactly how they're going to do it but if you look at the ICANN rules they have very little to do with trademark law so it works very well internationally even though they purport to be doing something with trademark law. One of the things you may be missing when I do go and register a doing business name locally and reserve it I'm still subject to the federal trademark law so if I manage to register locally something that I really can't use in commerce I'm going to get stopped from using it. I'm allowed to register in advance all I want I have to be stopped by the trademark holder and I think that's the way things should go but that's not where ICANN is going they're going quite the opposite. That registry would be automatically empowered and required to stop me from registering it so that IBM would get a whack at it or whoever. There's an RFC that talks about one fairly new one anyway that talks about how a root server should be run and one of the things it shouldn't do is do a zone transfer on the root so you would not be able to just pull it down. In fact, about a week ago I went and tore through A through M of the roots and only F allows root transfers for the whole zone transfers for the root so that's f.root-servers.com no.net excuse me and get it while it's hot other than that you're going to have to apply and that's partly an effort to sew up the root space. I don't think the trademark interests by the way are pushing that in part. To the root servers no because that would undermine the point of them but to the zone file that is the root content so you could build a local root sure I'm sure they might there's definitely money interests behind this they would claim it's to fund the root servers or something and that zone transfers are very heavy on them in fact transferring the whole root zone down to an ISP that's fairly busy and then running a root locally would probably save a lot of work on that root server but zone transfers trivial in terms of computational energy it's a bit of bandwidth for a burst that's it lots of little lookups all day long is actually computationally much more complex and so if anything would save them effort but they don't want to say it's not about effort it's about name space control and trademark .xxx and .sex and yeah it's one of the six proposed names but then they put it out for general public if you have $50,000 the public interest so we don't know what the final ones will be right now we actually will very soon I would think but we don't right now but what do I think of that I think that at least put some focus which is good right it's at least a meaningful name but in reality I think they just think it's going to be a hot seller so because I you know www.xxxgirls.com doesn't really leave me much doubt about what that domain is so actually a car dealer go ahead I can isn't going to try to affect the two letter country designation names registration processes this is solely for a new global top level domains ones that don't have a geographical element to them so there are some guidelines and they're actually talking about making everybody charge the same which would kind of kill competition you have to somehow tout speed and quality of service as your competitive edge which would work versus some of the existing registrars but it's not much of a competitive basis if you can't do it monetarily right we're smart we have a good database system we can do it cheaper we're not using a 16 year old database you might have been able to and you might be able to but one of the things on the table right now is to fix the domain name price for second level domain names and that's assuming that they like your proposal and they let you buy .adult that's also still in ICANN's hands what domains will be created and the phrase they're using is that it will be a task of proof of concept to see how it works out how the intellectual property interests are hit how much it destroys the internet you know etc if you've dealt in large corporations you know running oddball internal and when we say oddball and internal for a large corporation that could be 75,000 systems distributed around the world it works fine if you know what you're doing and I don't think too many people will be running root names so there's vaguely without knowing what they're doing and the hope is that software will be coming out that will allow you to roll your own even if you don't entirely know what you're doing and do it safely so that small ISPs or middle sized ISPs could do that the questions basically first what can you do with regard to the ICANN proposals and how can you become something of an activist what can you do what's important is will IPv6 do much for this the nice thing about IPv6 it will force people to start using at least at their borders because there are going to be a lot of IPv4 protected zones mostly protected zones let me answer that one first actually it's not going to do a whole lot it's not going to increase the name space it's going to increase the number space but that's not really that issue it will reduce the ability to spoof but it actually means that you can have somewhat overlapping root zones without accidentally giving someone a name server in the other dot com and ruining the look up currently older versions of bind will very gleefully take a name server reference that's in something called the glue which is sort of by the way if you wanted to look this up I'll give it to you now anyway that may be out of the zone of authority of the machine that you're asking for something from so I asked for FUCOM from FUCOM's name server well FUCOM is in a name server that is genuity.nets and by the way the IP address of genuity.net is blah unfortunately I use a different net than genuity does and genuity.net on my net is completely weird and I've now just made your name server remember that so you're completely whacked proper name servers for the last couple of years really don't cache that and the newer ones definitely don't so you have to actually very intentionally go whacking them to poison their caches it was actually easy to do it accidentally before so when Eugene Cashproof basically made internet go to alternate net for a significant portion of the internet he did that by simply throwing bad glue around and it was actually trivial so that would be harder so what you can do as an activist ICANN word site www.icann.word which was up there somewhere that's going to end has responses to all of their papers and so on going on and we start writing on it which is probably one of the best places to start there you go so www.icann.word all of their topics all of their white papers all of their committees have feedback there so you can at least give them feedback but I recommend taking it into companies you have talk about if you're technical and you're at the company start building alternate routes they do wonders for corporate networking and then I would take it to the press I mean this is interesting stuff definitely unusual in the law too www.icann.word.com right and working group C actually had some amazing people on it so it was depressing www.icann.word.com has some people on it that make you scratch your head as to why they're there so you gotta watch out for that anyway anything else thanks