[Freedombox-discuss] p2p-dns [was: Call for Ideas - GNU in Google Summer of Code 2011]

[Luke Kenneth Casson Leighton]

On Fri, Mar 4, 2011 at 6:18 AM, Rodrigo Rodrigues da Silva
<pitanga at members.fsf.org> wrote:

> I've setup a wiki page[1] on LibrePlanet for the sake of organization.
> Please check this page for useful information and other packages' ideas.
>
> To provide your ideas list:
> 1. edit the wiki[1] as instructed there AND
> 2. send an e-mail to summer-of-code at gnu.org notifying us about your
> submission

 i've added p2p-dns because to have such a service is, i believe,
critical to internet freedom in the face of the breakdown of trust
placed by the world's internet users in the U.S. Government to
maintain the top-level .com domain.  as demonstrated by the "seizure"
of domains recently, which have included some ACCIDENTAL seizures.
seizure of .com domains is a breach of Sovereignty of a Sovereign
State's right for its Internet Citizens to register and own domains,
and as such, the U.S. Government's actions are extremely serious, and
their breach of trust has irreversibly changed the world.

 we cannot, however, specify that some other government should take
over the top-level DNS.  that places control into some other
organisation in some other country, which will be as equally
irresponsible, or seek to impose _their_ country-wide rule of law onto
the rest of the world.  china, for example, having laws which are
deemed appropriate for their citizens, cutting off access to certain
domains that are viewed by the majority of the world as appropriate.

 therefore, the only solution is to create truly peer-to-peer,
non-centralised, non-controllable DNS, that works by consensus but
allows individual overrides in the cases where there is a conflict or
discrepancy of a particular DNS name resolution request.

that awkward-sounding sentence translates to the following potential
algorithm [as an example algorithm which fulfils these requirements,
which are themselves clearly justified as a necessity not a nicety,
and is given as an example in no way stating that this example is an
authoritative or dictatorial statement of intent to demean or override
any other examples that any individual or organisation might come up
with.  i state this explicitly because some people may view the fact
that it is me, lkcl, outlining the algorithm below, and may, as tends
to happen with alarming frequency, misunderstand and assume that i
wish to make myself some sort of authority over them or otherwise
assume that am running some sort of hidden agenda which simply doesn't
exist.  no, i don't get it, either, but it happens too often for me to
ignore, and this issue is too important to be jeapordised by someone
getting into a pissing contest because they think i need "taking down
a peg or two".  anyway - onwards with the example, sad but necessary
preamble ends].

 * if using standard DNS, but the answer isn't what someone expects,
they can go to a "special page" and enter a manual override IP address
[presumably only intelligent people will do this - you don't need many
of those]

 * the overridden answer domain.co->1.2.3.4 goes into a p2p
distributed database [e.g. cached DHT]

 * if the number of overrides entered goes above a certain predefined
threshold "weight", where users who have GPG-signed the overrides are
given more "weight", and other users who have an openca certificate
(TBDiscussed) have extra "weight", etc. etc., other methods TBD, then
by default the p2p entry is returned over-and-above the "standard" DNS
response.

 * if the number of overrides is not enough, 127.254.254.254 is
returned (or IPv6 equivalent) which is designated a "special" IP
address, there is an HTTP page there advising users what to do; there
is an SMTP server running which returns, again, a "bounce" message
saying "take action by visiting http://127.254.254.254", etc. etc.
[this is exactly the same sort of principle that hotels deploy on
their "pre-pay" internet services, so i see absolutely no problem with
advocating it for use in this scenario]

this provides "consensus" in the same way that cloudmark distributed
SPAM servers (razor/pyzor) provide "consensus", so that the majority
of users do not have to even know that there is a problem; it also
provides a simple web-based user interface for entering DNS entries on
users' own machines.  copying something like dyndns.com (or
easily.co.uk) web interface which has a "wizard" as well as an "expert
mode" would be good: there probably exists a free software package for
managing domain zone files somewhere, already, and if the basis of the
code started from python oak-dns that would mean that the GSoC student
could get up-and-running pretty damn quick [oak-dns reads bind-style
named.conf and zone files, already: the only thing oak-dns doesn't
have is DNSSEC. afaik.  that can come later].

please feel free to discuss, and perhaps come up with some alternative
algorithms, such that the GSoC student's task is made somewhat easier
by the time it comes to it.

once again, this is a quite complex technical area that, i believe,
would appeal to a certain kind of GSoC student, who feels that they
would be helping solve some quite serious fundamental flaws with the
present internet infrastructure and is making a significant
contribution.  thanks to existing technology and software, it is in
some ways more about plugging existing bits of code together from
quite disparate sources: it's not like it's necessary to redesign a
replacement to DNS from scratch [that's not gonna happen], or even to
rewrite a DNS client or server from scratch.

l.



> [0]
> http://www.google-melange.com/document/show/gsoc_program/google/gsoc2011/timeline
> [1] http://libreplanet.org/wiki/GNU_application_for_Summer_of_Code_2011