Noel Chiappa <jnc(a)mercury.lcs.mit.edu> wrote:
It's perhaps worth noting that today's DNS is somewhat different from the
original; some fairly substantial changes were made early on (although maybe
it was just in the security, I don't quite recall).
The key early changes were described in RFC 973 (1986): bigger TTLs,
MX records, CNAME and wildcard clarifications.
Next, I think, was NOTIFY / IXFR / UPDATE in 1996/7 which made the whole
system (potentially) a lot more dynamic.
RFC 2181 (also 1997) is important because it includes the standardized
pre-DNSSEC answer to the 1990s cache poisoning attacks found by Bellovin
and others. (Though I think a lot of this was put in place well before the
RFC was published.) This greatly restricted the gossip protocol aspect of
the DNS (records in the additional section).
There was a lot of churn related to IPv6 easy renumbering, which has all
been thrown away apart from DNAME.
There was also a lot of churn around DNSSEC, going right back into the
1990s, which finally settled on what we have now by about 2008. Along the
way they discovered a lot more unclarified edge cases in things like
wildcards. DNSSEC turned the DNS into a somewhat half-arsed PKI. It could
also allow implementations to bring back gossip, though there are
performance and packet size constraints that make it tricky.
The half-arsedness of DNSSEC is mostly related to the administrative
aspects of registrations and transfers and so forth, which are frequently
not very confidence-inspiring. Some of this is due to the way EPP works
(and its predecessor the registry-registrar protocol), but it's mostly
because there's no standard interface between domain owners, DNS
operators, and registrars. (And registrars don't want one because it would
commoditize them. There's probably a David Clark-style Tussle in
Cyberspace case study in here somewhere.)
Tony.
--
f.anthony.n.finch <dot(a)dotat.at>
http://dotat.at/
work to the benefit of all