Talk:Domain Name System/Draft

comment
This article is developing nicely. Thanks to those who have contributed. I think it would benefit from an overview or introduction which briefly explains what DNS is, when it was first rolled out, etc., for those who are not yet familiar with the technology. After all, DNS is a function largely hidden from many computer users who do not delve into the details of how networks are implemented, so even some savvy computer scientists might not know much about it. I appreciate what has been done so far; keep up the good work!Pat Palmer


 * Thanks, Pat. While I'm more a subspecialist in routing than DNS, I'm certainly comfortable with it, but for some reason, this is a painful article to write.


 * When you speak of the introduction, are you including some of the business and political issues, very important in absolutely current policy meetings, that are dealing with matters such as the creation of a large number of new top level domains? There is a very real collision between the original technical purpose of DNS, and business issues it was never designed to address. To some extent, there are people in business that are trying to coerce the DNS to be a search engine, which doesn't work well both from the technical and intellectual property/trademark law areas. Howard C. Berkowitz 15:42, 5 July 2008 (CDT)


 * I think I'd put the discussion of today's politics in a special section. For the intro, I was thinking of describing, for the youngsters who might not remember, what a big innovation DNS initially was--translating raw IP addresses into user-friendly domain names, and vice versa.  Also worth mentioning, I think, is how the entire internet managed to cut over to the use of DNS all at once in, was it '83?  Only after describing what is is, and how important is was and is, would I go into all the technical details, the stuff that you are very expert in.  This is becoming a great article; keep it up!Pat Palmer 18:46, 5 July 2008 (CDT)

Moving to closure on the "capstone" article
I don't want to put that much more into this article rather than subarticles. If things seem too detailed, let me know, but remember there should be a little introduction rather than simply linking to DNS security and the like.

Things that I didn't think needed to be here--should they be?


 * Recursive versus iterative resolution
 * More than a casual definition of caching
 * Load sharing with tricks like round robin multiple addresses on the A record
 * Any detail about subdomains, either nondelegated or delegated.

Howard C. Berkowitz 18:11, 8 October 2008 (CDT)

Nice intro!
Wow, nice introduction! I will try to read in detail in the next coupla days (but off to sleep tonight). This has evolved into an excellent article!Pat Palmer 21:03, 8 October 2008 (CDT)


 * One thought. Might you say something about resiliency?  I think there's some high drama that we could mine here to make this article interesting even to those readers who are not geeks.  Haven't there been some attempts to crash the name service (and thus the internet as a whole)?  If I recall, there are 12 or so BIG name servers in the sky, so to speak, and though these recent attacks might have brought down a few of them, some always remained, enough to keep the net at least limping along, which was one of the key goals of its original designers.  This issue (I hope I recall correctly) should be mentioned somewhere near the top of the article, perhaps in a paragraph of its own entitled "resiliency" or something or other, because it is one of the truly remarkable things about DNS that it is distributed and not centralized and so it's really not all that easy to kill the whole thing.  Or so we hope (and so evidence has thus far shown).  I haven't read all the article yet, so if this is already well covered, please forgive, in which case, maybe we can bubble it towards the top somehow.Pat Palmer 21:09, 8 October 2008 (CDT)

It's twistier and turnier
...than it looks. Officially, there the twelve named root-servers, A through M. If you look at the actual number of boxes and their locations, however, at http://www.root-servers.org/, you'll find there are 166 actual servers, quite widely distributed.

How do they do that? Well, this is one of the reasons that I wrote anycast, which I hope is close to approval. As you suggest, there are 12 addresses for name servers, but almost all of them are actually anycast addresses. In the anycast article, which does have some DNS examples but not at the root, you'll see how it introduces automatic loadsharing by means of geographic distribution of many instances of the same server. These servers are especially good for anycast, since they are essentially read-only: no synchronization required.

A good question is whether resiliency does need to be brought out an article, simply defining the metrics. Indeed, availability is tricky. It's one thing if there is a 24/7 commitment. Now, assume a machine is 9 to 5. The tech gets there at 4 and stays all night. It's back up at 10 the next morning. How many hours of downtime were there? This is not as obvious as people first think; it gets into contractual language.

Also, you may want to look at multihoming as yet another means of resiliency. Howard C. Berkowitz 21:36, 8 October 2008 (CDT)


 * Howard, I really like your explanation here and I will be looking for the right way to fold this into the article itself.Pat Palmer 23:53, 23 October 2008 (UTC)


 * How much should be here, and what about a general availability article? I really like that "how many hours was it down" question to get people thinking, a variant being was "if it didn't work between 6PM and 6AM, was it down at all?" Of course, some of this is in anycast, but only DNS as an incidental comment. I'll probably drop you an email; I must go and see to the bread I have rising. Howard C. Berkowitz 00:08, 24 October 2008 (UTC)

Thinking about Pat;s comment about resiliency
Should a sub-article should only address resiliency, which is often considered a response to accident, disaster, or component failure, as opposed to DNS vulnerabilities and attack mitigation? Her mention of a denial-of-service attack on the root servers really falls somewhere inbetween. Incidentally, see ; the servers that denied service apparently were the only ones for which anycast backup had not been implemented,

Other attacks are far more specific to DNS than denial-of-service on the root servers, such as the recent attack described by Kaminsky ] on DNS cache poisoning. Prevention of such an attack probably will require at least DNS security, but operational techniques such as "trusted DNS" only accessible to a closed community of ISPs are an additional measure. Where is the balance between the resiliency, vulnerability, and DNSSEC articles?

Howard C. Berkowitz 08:18, 10 October 2008 (CDT)

Plans for this article
Howard, if I understand correctly, you're hoping to more this article towards approval. I think all the basic building blocks are assembled here. Yet, I'd like to make a stab at editing on it at some point. Unfortunately, I don't have a lot of free time right now, and the next block of leisure time I see in my future is Thanksgiving weekend. So if you're not in too big of a rush, I'd like to chew on this a bit more. I need to "study up" a little first, and then of course, it will need your feedback. I'm sorry to be so slow! You've done a fabulous job on this. My goals will be to make it slightly more organized and readable for non-experts while, hopefully, retaining all the good detail you've put in. Also, to make it more compelling as a topic for the uninitiated; it's an extremely important part of the internet and was introduced in a dramatic way all at once in (was it 1983?) and fortunate the average Joe the Plumber can take it absolutely for granted most of the time. Anyway, congratulations on doing such a great job on this, and please bear with me if I try to edit it a bit here and there. It will not be for technical content but for overall tone and style or something mushy like that.Pat Palmer 23:51, 23 October 2008 (UTC)


 * P S, one thing I'll probably do is remove the boldface type; style guidelines, I believe, suggest that only the article title be bolded the first time it is used. I think we can achieve an appropriate amount of emphasis, in most cases, my moving the information up, and by (sometimes rather radically) rewording the way the information is imparted.  If this makes no sense, please wait and I'll try my hand and you are welcome to grouse if you don't like the outcome; we can always revert!Pat Palmer 23:56, 23 October 2008 (UTC)


 * No problem. This is meant as a capstone introduction, and we might decide some material, or perhaps the level of detail of presentation, belongs in a subordinate article. The ideal would be to think of it as a part of a set, and, since my whiteboard isn't up in temporary quarters, may try to put not just DNS, but the twistiness and turniness with which a lot of things are coming together: DNS, IPv6, IPSec, PKI, DNSSEC (which is probably confusing because it really isn't ready for prime time), and a few other things. I'm also thinking about where QoS and availability go; I'm tempted to update some of my book text in those areas.


 * It may well be that you will have a better rewording for this article, and the wording that I have belongs somewhere in the tree below. You probably have a better sense of the beginner than I do; it's been a long time since I did introductory networking classes. Actually, I largely got out of teaching when it became a matter of teaching Cisco certification test rather than the subject.


 * As far as Joe the Plumber, a master plumber once gave me some of the Laws of Plumbing. "Water runs downhill" is #3. #2 is "Anyone can run water pipe; only real plumbers can vent." The First Law, however, is relevant to networks: "If it don't leak, don't fix it."Howard C. Berkowitz 00:05, 24 October 2008 (UTC)

Comments & questions
Nit-picking: intro has "translates to and from raw IP addresses and domain names". Would it be clearer as "translates in both directions between raw IP addresses and domain names"?

BIND is mentioned. Certainly it is the commonest, but what about other DNS implementations? Bernstein's is fairly widely used, especially for people who only need a caching server, not authoritative, e.g. on firewalls for small organisations. There are others.

I hate to ask, but is there a Microsoft DNS server? Do we need a link to some coverage of how naming on an MS or Novell network interfaces to DNS? Or how an SNA network does? I am emphatically not suggesting those topics should be covered in any detail in this article, but a sentence and a link each might be needed.

There's quite a bit of detail on setting up an authoritative name server. Obviously, that belongs somewhere in an encyclopedia, but is this the right place? Or should some text move to lower level articles, perhaps DNS administration, leaving this as a higher-level overview? On the other hand, I see mention of caching-only servers, but nothing on setting those up. Should that be added?

RFC 4322 proposes using DNS to manage keys for IPsec. Sandy Harris 15:26, 31 October 2008 (UTC)


 * And there's a Domain Name System security subarticle where that is mentioned; that may be the place for it, or there may be a need for yet another subarticle on Domain Name System support for IPSec (or IPSec use of DNS, or various redirects). The question was whether it should be mentioned at all here. As I see this article's role and level, I definitely would not give the RFC here. The queestion is how little, not how much, is necessary and sufficient for the top-level article.

Editing per Howard's request
Today I have begun in-depth editing of this article per Howard Berkowitz' request. I am going to catalog my major revisions and suggestions below. I expect this will take several days. My approach is to read top-down and assume that I know not-too-much about computers. This article is currently nicely written at the appropriate level for college CS students, which is great, but I also think we can make it accessible to those with less prior background in telephony and networking, and you will see my efforts along the way towards that end.Pat Palmer 13:55, 13 February 2009 (UTC)

Summary of Pat's edits:
 * 1) Revised the wording of the intro to make it simpler and more self-consistentPat Palmer 14:19, 13 February 2009 (UTC)
 * 2) Provided a small stub article defining what an IP address isPat Palmer 14:19, 13 February 2009 (UTC)
 * 3) Moved the TOC down below the opening paragraph; I strongly feel that people should be allowed to peruse the introduction without interference from the TOCPat Palmer 14:19, 13 February 2009 (UTC)
 * 4) I added a discussion of the binding concept to the bottom of the intro, because it is one of the guiding principles of systems design that is now implemented all over the place, and DNS was the first great implementation of itPat Palmer 17:04, 13 February 2009 (UTC)
 * 5) I added resiliency and security as article topics in the intro (though I tried to hintr that this may be covered in related sub-articles)Pat Palmer 17:04, 13 February 2009 (UTC)
 * 6) I tried to define the goals in the intro: 1) explain what DNS does, 2) explain how it does it, 3) clarify why it's not the same as a search engine (and should not be), 4) discuss its critical role to the internet, and thus the importance of protecting it from the growing press of attacks while keeping it usefulPat Palmer 17:04, 13 February 2009 (UTC)
 * 7) Don't look to closely at the history; I managed to delete most of the article by accident and had to restore it (a very messy process, had to figure out how to do it)Pat Palmer 17:04, 13 February 2009 (UTC)

need simple overview, probably before History section
I'm mulling about adding an overview section of how DNS works (at a fairly high level, but with lots of specific examples) for lay people, probably before the History section. I feel we need the 10,000 mile high view before delving into all the dirty details.Pat Palmer 17:06, 13 February 2009 (UTC)