Re: Number of Firewall/NAT Users

[Stephen Kent <kent at bbn.com>]

Ed,

> <snip>
>
> Perhaps we agree that DNS names depend on IP numbers as part of their trusted
> context, but IP numbers do not depend on DNS names.
>
> However, certain design choices in the evolution of the DNS,
> since long ago, have made users fully dependent on the DNS for
> certain critical Internet services -- which choices further
> strengthened the position of DNS name registration as the single
> handle of information control in the Internet.  And, in a
> reverse argument, its single point of failure.

> Indeed, the DNS was never intended to be essential to the
> Internet, since all Internet hosts are accessible by their
> IP numbers alone -? however, those engineering choices in the
> design of the resource records and various e-mail protocols make
> it nowadays impossible for an average user to send or receive
> e-mail in the Internet without a DNS service.  In short, DNS names
> have become the addresses of mailboxes and the addresses of
> e-mail forwarders in MX resource records.  Or, you are required to
> have a matching reverse DNS that you do not have. Which is
> another misplaced requirement, since why should you trust a second
> query to a system you do not trust in the first place? This is also
> relevant in terms of failure and control analysis because the e-mail is
> by far, the most important application on the Internet for many users.

Prior to the existence of DNS, we relied on the hosts.txt file which 
was maintained at a central site and downloaded (typically daily) by 
all the hosts. There has long been a reliance on a name to address 
translation facility because addresses are unacceptable as human user 
inputs to applications and because network management requires an 
ability to change the address of a host.  (In the ARPANET days, the 
host addresses were derived from IMP port numbers, so any move of a 
host from one port to another, e.g., due to a local hardware or comm 
line failure, required changing the address of the host.) So I can't 
agree with your assertion that the DNS (or an equivalent name to 
address mapping service) was never intended to be essential to the 
Internet

> Further, by placing the decisions of network address assignment
> (IP numbers) together with DNS matters under the ruling of one
> private policy-setting company (ICANN), we see another example
> of uniting and making all depend on what is, by design, separate.
> The needs of network traffic (IP) are independent of the needs
> of user services (DNS). They also serve different goals, and
> different customers. One is a pre-defined address space which
> can be bulk-assigned and even bulk-owned (you may own the right to
> use one IP, but not the right to a particular IP), the other is
> a much larger and open-ended name space which cannot be either
> bulk-assigned or bulk-owned. They do not belong together.

They are separated one level down from ICANN, where we have TLDs for 
names that are distinct from regional registries for addresses and 
other numbers. Having one group coordinate these two distinct 
assignment activities offers benefits, since both need some central 
management authority, as well as drawing criticism.

Steve