Benvinguda
Interview to Paul
Mockapetris, Internet pioneer and father of DNS
"Some countries want to restrict domain lookups to
names that they say refer to child pornography, gambling,
or just perhaps the "wrong" country, religion, or
belief"
Paul Mockapetris, best
known for creating the Domain Name Server (DNS), took
part in the X Euroecom-eBSN workshop, organised jointly
by the Consortium for the Commercial Promotion of
Catalonia (COPCA) and the European e-Business Support
Network (eBSN) on March, 22th. During his stay in
Barcelona, Paul Mockapetris, with Andreu Veà, ex
Vice-President of CATNIX (2002-03) and nowadays Internet
Research Scholar at the Stanford University, California,
visited CESCA and its communication infrastructure,
especially the Catalan Neutral Internet Exchange, which
hosts a mirror of the F-root nameserver.
Considered one of the fathers of the
internet, in 1983 Mockapetris proposed a Domain Name
System (DNS) architecture in RFCs 882 and 883 while at
the Information Sciences Institute, one of the large
research centers of the Advanced Research Project Agency
(ARPA). But his contributions to the internet don't end
there. He has designed SMTP protocol for email and has
participated in its implementation, has deployed the
first root nameservers... Nowadays, as Chief Scientist
and Chairman of the Board at Nominum, Inc. he continues
working to help guide DNS and IP addressing to the next
stage.- Your complete career has been formally recognized with the 2005 ACM SIGCOMM award, but we imagine that the greatest satisfaction is to see that the millions of people that are using everyday something you created. What are your feeling about this fact?
- Let's assume that you were given the opportunity to redesign the DNS protocols again, without any legacy constraint. Based on your past and present experience, which kind of changes would you like to do?
When I designed the DNS, I had to balance the urge to add features (such as security), with the knowledge that any additions to the design gave more ammunition to the many critics who claimed DNS was too complex.
I also believed, even hoped, that the system would be used in ways that I couldn't imagine, and the only way to do that was to put together a set of concepts as "a toolbox of compatible tools" rather than a complete set of specific services.
So while there are many things that could have been added
(and have been) and some small errors in specific
features (e.g. compression), I really can't think of
anything major I would change or add, remembering that
the original DNS design had to be accepted by the
Internet community of early 80s.
If I had proposed something as complicated as today's DNS, it would never have been adopted, and we'd be doing something else today. I sometimes wonder what it would be.
If I had proposed something as complicated as today's DNS, it would never have been adopted, and we'd be doing something else today. I sometimes wonder what it would be.
- If we move
back to the past, when you were designing the first
specifications on the name resolution system (DNS) on
RFCs 882 and 883, what is the most curious fact or
event that you remember?
I think the issue of handling names and data that are NOT
in the DNS is curious. Originally, we simply had the
ability to tell whether a name existed, and whether data
of a particular type was present at a name that
existed.
But politics dictated that some names would be reserved even if not used, and organizations fight over the rights to present advertisements to users when they mistype names, and we added the ability to cache the fact that names or data did NOT exist in the system.
That doesn't mean the DNS is suitable for complicated data types or other functions; those can be in higher levels of the configuration infrastructure, in things like AD and LDAP and the rest.
But DNS is faster and more distributed than any other database on the planet, has tens or hundreds of millions of euros of infrastructure deployed for caching, and is understood by every computer made in the last 5 years as well as most cell phones, DVR's etc — that makes it a powerful tool.
This is more difficult for the TLDs, which are much larger, but the distribution of signed copies of entire zones is a way to strengthen the DNS with today's technology. Of course, technology isn't everything TLDs have to contend with different information protection laws; if I copy the .CAT database to the US, whose laws govern? Hopefully, ICANN can create some standard policies that solve most of these problems.
The last issue is that registrars and registries want to preserve the economic advantages they have by controlling the data, sometimes to the detriment of security.
In practice, DNSSec is suffering. Its architects seemingly decided, immodestly and erroneously, that they would create a single perfect design and apply it across the whole Internet. For example, they created a design that meant that anyone could see the entire contents of a secure zone in order to create digital signatures for names that didn't exist. That was fine for some TLDs but anathema to others. A better design would have made this feature optional for each domain to choose, or left it for future implementations. Many issues like this stretched out the development schedule with revisions and redesigns, now more than a decade in progress.
In the mean time, government policies shifted back and forth on cryptography, and some countries want to restrict domain lookups to names that they say refer to child pornography, gambling, or just perhaps the "wrong" country, religion, or belief.
But there's hope. While I don't think we will see all of the present DNS database signed anytime soon, I think we will see application of DNSSec for some special applications, perhaps in intranets for protecting critical configuration information or ENUM peering exchanges, or some other application. Then maybe it will be time to create DNSSec 2, with better design principles, more choices, and more deployment.
My guess is that it will see slow but steady uptake; the problem isn't so much the change in the basic packet format as the supporting servers, standards, and processes. For example, the products at my company, Nominum, fully support IPv6 but we haven't seen production use for DHCPv6, so we don't work on that product — there's little demand. People say similar things about firewalls and other security systems. Some folks welcome IPv6 as an opportunity to rethink and clean up their address allocation, network structure and the like, but that slows things down as well.
But I think and hope that the growth in IP-aware devices will lead to wider adoption, but I wouldn't bet on an IPv6 majority before 2010.
None the less I bet it will have to have simple underlying principles and framework. We have to recognize that the art is using complicated technology to produce simple and understandable results.
I can't wait.
But politics dictated that some names would be reserved even if not used, and organizations fight over the rights to present advertisements to users when they mistype names, and we added the ability to cache the fact that names or data did NOT exist in the system.
- Nowadays it seems that most new protocols are using DNS as a universal protocol to provide its signaling features, such as IP telephony (ENUM, SIP), white/black/grey spam lists, resource location, etc. What do you think about this kind of use of the DNS protocol?
That doesn't mean the DNS is suitable for complicated data types or other functions; those can be in higher levels of the configuration infrastructure, in things like AD and LDAP and the rest.
But DNS is faster and more distributed than any other database on the planet, has tens or hundreds of millions of euros of infrastructure deployed for caching, and is understood by every computer made in the last 5 years as well as most cell phones, DVR's etc — that makes it a powerful tool.
- In the last five years, it seems that the blackhat community are specially interested in taking down the internet through denial of service attacks against the RootServers. Do you think that this DNS core infrastructure and TLD Primary Servers are robust enough to face this problem?
This is more difficult for the TLDs, which are much larger, but the distribution of signed copies of entire zones is a way to strengthen the DNS with today's technology. Of course, technology isn't everything TLDs have to contend with different information protection laws; if I copy the .CAT database to the US, whose laws govern? Hopefully, ICANN can create some standard policies that solve most of these problems.
The last issue is that registrars and registries want to preserve the economic advantages they have by controlling the data, sometimes to the detriment of security.
- When the DNS was designed, it was considered to run in a non-hostile environment (ARPANET). Thus, it is a light operation-based protocol that doesn't consider other aspects such as security. What is your opinion about recent DNS secure extensions (DNSSec)? Which are its main benefits and disadvantages? Do you think that they will be massively deployed in the near future?
In practice, DNSSec is suffering. Its architects seemingly decided, immodestly and erroneously, that they would create a single perfect design and apply it across the whole Internet. For example, they created a design that meant that anyone could see the entire contents of a secure zone in order to create digital signatures for names that didn't exist. That was fine for some TLDs but anathema to others. A better design would have made this feature optional for each domain to choose, or left it for future implementations. Many issues like this stretched out the development schedule with revisions and redesigns, now more than a decade in progress.
In the mean time, government policies shifted back and forth on cryptography, and some countries want to restrict domain lookups to names that they say refer to child pornography, gambling, or just perhaps the "wrong" country, religion, or belief.
But there's hope. While I don't think we will see all of the present DNS database signed anytime soon, I think we will see application of DNSSec for some special applications, perhaps in intranets for protecting critical configuration information or ENUM peering exchanges, or some other application. Then maybe it will be time to create DNSSec 2, with better design principles, more choices, and more deployment.
- Our Catalunya Neutral Internet Exchange (CATNIX) has deployed a root nameserver F mirror that improves the service to the Catalan community. From your perspective, which are the benefits of mirrors like the one at CATNIX for the rest of the internet?
- Both Anella Científica —the research&academic network in Catalunya— and CATNIX allow IPv4 and IPv6 communications, but most of the institutions are doing a limited use of IPv6 yet. From a global point of view, could you say that it is being adopted progressively by most companies, military agencies, government, etc.? What do you think about its mid-term and long-term future considering the recent comments against it?
My guess is that it will see slow but steady uptake; the problem isn't so much the change in the basic packet format as the supporting servers, standards, and processes. For example, the products at my company, Nominum, fully support IPv6 but we haven't seen production use for DHCPv6, so we don't work on that product — there's little demand. People say similar things about firewalls and other security systems. Some folks welcome IPv6 as an opportunity to rethink and clean up their address allocation, network structure and the like, but that slows things down as well.
But I think and hope that the growth in IP-aware devices will lead to wider adoption, but I wouldn't bet on an IPv6 majority before 2010.
- Finally, what is your vision on the future of internet?
None the less I bet it will have to have simple underlying principles and framework. We have to recognize that the art is using complicated technology to produce simple and understandable results.
I can't wait.
| Paul Mockapetris, the
inventor of the Domain Name System (DNS), is Chief
Scientist and Chairman of the Board at Nominum,
Inc. His mission is to help guide DNS and IP
addressing to the next stage. Paul created DNS in the 1980s at USC's Information Sciences Institute where he was later the Director of ISI's High Performance Computing and Communications Division. Throughout his career, he has contributed to the computing research community and to the evolution of the Internet. His earliest work at UC Irvine on distributed systems and LAN technology preceded the commercial Ethernet and Token Ring designs. At ISI, after working on the design of the SMTP protocol for email and its first implementation as part of the birth of the Internet in 1983, Paul Mockapetris took on the challenge of designing DNS, and then operated the original "root servers" for all Internet names. After the formal creation of the Internet Engineering Task Force (IETF) in 1986, DNS became one of the original Internet Standards; the IETF continues to be the focus of new applications and extensions to DNS. He has been associated with the IETF since its creation, chaired several DNS and non-DNS working groups, and was Chair of the IETF from 1994 to 1996. Paul Mockapetris was program manager for networking at ARPA in the early 1990s, supervising efforts such as gigabit and optical networking. From 1995 on, he held leadership roles at several Silicon Valley networking startups, including @HOME, Software.com (now OpenWave), Fiberlane (now Cisco), and Siara (now Redback Networks). He has dual BS degrees in Physics and Electrical Engineering from MIT, and a PhD in Information and Computer Science from the University of California, Irvine. |
 |