[Note for 2017-09-18 release: it seems in light of recent events withgab.ai th

1. [Note for 2017-09-18 release: it seems in light of recent events with
2. gab.ai the DNS chokepoint hazard is less theoretical than I had
3. thought, so I am releasing some of my partially finished notes toward
4. a possible solution. It is an unfortunate irony of history that the
5. defense of our network against infrastructural centralization hazards
6. becomes more urgent in connection with such distasteful people; if
7. they were in a position of sufficient cultural influence to do so,
8. they'd surely censor ten times as aggressively.]
9.  
10. Objective:
11. ----------
12.  
13. Protocol participants communicate amongst themselves to learn a set of
14. transactions applying to one or more domain suffixes to which they subscribe.
15. For each domain under that suffix for which a homestead and zero or more
16. transfer of ownership transactions exist, they must resolve any conflicts
17. among the transfers of ownership in such a way as to be consistent and to
18. converge to global agreement in bounded time, so that all protocol
19. participants agree on an owner's public key for each domain. Then they
20. may merge together DNS record transactions signed by the owner's public key
21. to construct a zone file, which can be supplied to a bind instance to
22. resolve names under the subscribed suffixes.
23.  
24. Scalability:
25.  
26. - This is a protocol that requires each participant to store full
27. transaction history for domains they care about resolving, and for
28. any peer which wishes to construct a full zone file will need every
29. domain, so enumeration should be possible.
30.  
31. - Well, almost. If a domain lapses and is re-homesteaded, it would be
32. safe for participants to discard the earlier, lapsed chain of ownership.
33.  
34. - I believe this is much less problematic than in the case of bitcoin,
35. because the typical domain changes hands infrequently. If this is
36. used the way existing domain registrars are, I believe the typical
37. domain will have only a homestead record and keepalives on the order
38. of once every few years transferring ownership to the same set of
39. keys. It should be reasonable to expect on the order of, say, a 128-
40. byte transaction per five years of history per active domain.
41.  
42. - Per Verisign [1], there are about 127M domains in .com and .net, with
43. an increase of about 5% year-over-year (i.e., net increase of 6.1M
44. domains), with 8.2M registrations in one quarter. Extrapolate to 32.8M
45. new registrations per year, and conclude there were 26.7M non-renewed
46. expirations, for a domain life expectancy of about 4.5 years.
47.  
48. - So, if we have a 128-byte transaction every time someone homesteads a
49. new domain or every five years thereafter as a keepalive, we generate
50. 3.9G per year of new registration transactions at the scale of the current
51. registrar system, and per name we have a 20% probability per year to need
52. a keepalive, and a 50% probability to actually execute it generates a
53. somewhat longer life expectancy than the current system. That would
54. lead to about 12.7M 128-byte keepalives annually, or about 1.5G of them.
55. In total, annual transaction traffic would be 5.4G, or about 184 bytes/
56. second.
57.  
58. - The assumptions in the preceding paragraph lead to Poisson-distributed
59. domain ages, with 384 bytes of transaction history for the typical
60. domain. The total size of the transaction set needed to the full
61. domain<->owner key table will be about 45.5G.
62.  
63. - What about bringing up new nodes? Hopefully by the time this ever gets
64. pushed to those extremes the disk space requirements will be reasonable,
65. but it could still be days to download that much with moderately near-
66. future tech.
67.  
68. Unresolved:
69.  
70. - Timestamps in TAI or UTC? Need to compute lengths of intervals potentially
71. in the far future accurately for proof of work.
72.  
73. - Maybe a few leap seconds don't matter and we can just define a length
74. metric that pretends they aren't there.
75.  
76. (peer, domain) relations:
77. -------------------------
78.  
79. Each peer (participant in the transaction exchange protocol), shall have
80. one of the following states with respect to each name:
81.  
82. * Seeder
83.  
84. - This peer stores the full transaction history for the domain and can
85. serve it to others; it would like to be informed of any new transactions.
86.  
87. * Seeker
88.  
89. - This peer knows some transactions but isn't sure it has the whole
90. history; it's trying to become a seeder and would like to be informed
91. of any new transactions
92.  
93. * Ignorant
94.  
95. - This peer has no transactions for this name and hasn't looked. It is a
96. nonparticipant in the protocol with respect to this name.
97.  
98. * Unbeliever
99.  
100. - This peer has sought transactions for this name and found none; it
101. believes the name is unused.
102.  
103. Transaction types:
104. ------------------
105.  
106. Transaction IDs shall be SHA-256 hashes over serialized transactions with
107. all signature fields replaced with zeroes.
108.  
109. Origin of transaction chain for domain suffix (ORIGIN transaction):
110.  
111. - Domain suffix
112. - Random nonce
113. - So that in the case of conflicting uses of a domain suffix
114. (e.g. internal domains), the transaction IDs will be unique.
115. - [optional/maybe reference to origin of chain / ownership transaction plus
116. signature for suffix, to enable recursive application?]
117.  
118. Homestead transaction for domain (HOMESTEAD transaction):
119.  
120. - Transaction ID of ORIGIN
121. - A name which is a valid DNS label per RFC 1035
122. - That is, 1-63 case-insensitive letters, digits or a '-'
123. - valid_after and valid_until timestamps, with valid_after < valid_until
124. - A list of N_k >= 1 owner public keys
125. - TODO choice of crypto algorithm? Support for multiple algorithms?
126. - Integer valued thresholds n_zone, n_transfer such that
127. 1 <= n_zone <= N_k and 1 <= n_transfer <= N_k
128. - A proof of work to slow mass namesquatting
129. - TODO define the proof of work scheme
130. - The difficulty should be proportional to the duration of claim
131. valid_until - valid_after; to ensure it is possible to compute this
132. duration exactly, timestamps should be in TAI, not UTC.
133.  
134. Transfer transaction:
135.  
136. - Transaction ID of origin and of homestead or previous transfer
137. - A list of N_k > 1 owner public keys, threshold parameters as in
138. the homestead transaction
139.  
140. Abandon transaction?
141.  
142. BIG INTERESTING UNKNOWN:
143. ------------------------
144.  
145. - Given multiple independent homesteads for a name, or a multiple transfer,
146. equivalent to a double-spend in a cryptocurrency, how do we reach consensus
147. on ordering?
148.  
149. - This is the problem a blockchain solves, but note that transactions can
150. only conflict here when they are for the same name; the space of
151. transactions partitions in a huge number of independent ordering domains,
152. each with very tiny volume and forgiving latency demands. There must be
153. a way to exploit this to be more efficient than a blockchain and avoid
154. quadratic scaling or requiring all nodes to store every transaction.
155.  
156. - This is why approaches like Namecoin or Ethereum-based systems are
157. inappropriate; they have no notion of transactions being commutative and
158. force everything to be a total order. I'm hoping for something much
159. more lightweight here.
160.  
161. Usage:
162. ------
163.  
164. Once a database mapping names to owner key sets exists, the rest is trivial.
165. We can complete the system with a distributed hash table; domain owners publish
166. zone file fragments containing NS, A/AAAA and DNSSEC records for their names,
167. signed with their keys. Since these all come from a single administrative
168. entity per name, we can disambiguate order with a sequence number and have no
169. need to use a blockchain or whatever more lightweight construction we use for
170. the owner public keys themselves.
171.  
172. We can consider at least the following types of implementation:
173.  
174. - Full node that tries to learn all possible names for a particular origin
175. transaction; this can then, e.g., generate a zone file to be supplied to
176. an external name server
177.  
178. - Local DNS server or resolver library that tries to discover and cache
179. history for a particular name on first access
180.  
181. Adoption strategy:
182. ------------------
183.  
184. Alternative name systems have historically been hamstrung by network effects;
185. what good is a name no one can resolve? Why should I take the trouble to set
186. up someone's weird new DNS gateway to resolve a handful of names? To that
187. end, I propose operation as a third-level domain in full node mode. A
188. conventional DNS server can expose the content of distributed registrar
189. database to naive DNS clients, thus making names immediately useful. It
190. doesn't fully gain the trust or censorship-resistance advantages for those
191. clients, since such a server operator can potentially be pressured, although
192. the presence of the distributed registrar for comparison would make anything
193. of that nature immediately transparent.
194.  
195. Then, for aware clients, we gain a censorship resistant name system, but we
196. also gain a trustworthy DNSSEC root. Adding a record type parallel to SSHFP
197. for certificate fingerprints would then suffice to provide the equivalent of
198. domain validation-level certificates and significantly lessen the CA problem.
199. Finally, for domain operators we can provide freedom from privacy hazards
200. such as WHOIS Accuracy [2].
201.  
202. [1] https://www.verisigninc.com/assets/domain-name-report-april2014.pdf
203. [2] https://www.easydns.com/blog/2014/01/21/icann-unleashes-deadliest-ddos-attack-vector-of-2014/