Reading about the blockchain technology all around the web, I also started to think about possible usages of this technology. What comes to my mind almost immediately is the idea of decentralized DNS. After all, the internet is build to be decentralized, so why should this be limited by the DNS being de-facto controlled by a single institution?
The domain names are organized in a tree hierarchy. In my case, I own the domain kabele.me and I may therefore create whatever subdomain I choose which will be fully controlled by me. This also works in the opposite direction. My domain is a subdomain registered with an administrator of the .me domain (here the private comany domain.me). I pay to them and they in exchange let their nameservers carry a pointer to my domain.
We may continue to the root of a tree where the administrator of the .me domain must pay to company known as ICANN, which manages the special domain . and a set of so called root nameservers.
The listing below illustrates a query for the root nameservers.
$ drill NS . @8.8.8.8
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 29943
;; flags: qr rd ra ; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; . IN NS
;; ANSWER SECTION:
. 60042 IN NS m.root-servers.net.
. 60042 IN NS b.root-servers.net.
. 60042 IN NS c.root-servers.net.
. 60042 IN NS d.root-servers.net.
. 60042 IN NS e.root-servers.net.
. 60042 IN NS f.root-servers.net.
. 60042 IN NS g.root-servers.net.
. 60042 IN NS h.root-servers.net.
. 60042 IN NS a.root-servers.net.
. 60042 IN NS i.root-servers.net.
. 60042 IN NS j.root-servers.net.
. 60042 IN NS k.root-servers.net.
. 60042 IN NS l.root-servers.net.
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 16 msec
;; SERVER: 8.8.8.8
;; WHEN: Wed Dec 8 21:35:35 2021
;; MSG SIZE rcvd: 228
This system is basically built as decentralized key-value storage and it has proved to be very robust. Its main weakness is the property of all tree structures – it has a single root, which is a single point of failure. And the failure might be either technical, such as broken root servers, or political. If your TLD becomes “harmful”, the ICANN may theoretically decide to remove its record from their root servers. Such step would probably have severe political implications, but it is possible in theory.
It should be noted that the ICANNs root is not the only one existing. Other DNS “trees” exists, whether they are research motivated or projects of governments with obvious appeal to censorship. Their list is in the wikipedia article.
The obvious question in the age of “blockchainize everything” sounds: Is it possible to build a DNS on the blockchain?
Short google exercise unsurprisingly revealed that many people already tried to implement such thing, therefore the answer is probably yes. Most notable examples being the Ethereum Naming Service, Namecoin or UnstoppableDomains.
These projects are certainly interesting, but I’d like to point out several practical drawbacks that I came across when thinking about possible implementations.
Before we dive into the possible implementations, lets take a look at the benefits we’d like to gain.
In the following sections we discuss the points above.
The distributed solution has by definition the benefit of missing a central authority.
Distributed solutions are more robust and more democratic because there is no one to manipulate the data.
This is great! Or wait a minute… Is it really so great for everything?
Imagine the domain names being minted as NFTs and you’ll find that the amount of possible ASCII strings of reasonable length is limited. Even now is problem to get some domain names for your project. Most cool domain names were already bought and they are now either used, or laying around waiting for the highest bid. And we are talking about 2nd level domains under .com and similar.
But if you may mint your domain as NFT, in a way that would allow you to prove the ownership by your private key, you’d probably expect that you may create subdomains. But then we must either conclude that:
only 1st level domains might be minted. This will immediately lead to bots minting all thinkable strings and the usable TLDs will be exhausted in magnitudes of minutes or hours. With this paradigm it is very likely that owners of the TLDs will sell their subdomains to wide public for money. This system brings no benefit over current state. We just eliminated the ICANN (yayyy! Or not?), but otherwise the hierarchy stays identical.
We come up with totally different non-hierarchical scheme of domain names. Ground up revolution would be probably the favorite approach of true Web 3.0 evangelists, but to be honest I don’t expect this to happen. After all the domain names must be recognizable and the space for effective implementation of complex schemes is therefore very limited.
With these two points in mind, we might take a deeper look to the popular implementation mentioned above.
The ENS claims to be “Decentralised” and “Censorship-resistant” naming service.
How did it solve the problem fact from point one?
They created a new TLD .eth and you are allowed to mint a subdomain of it. You pay for the subdomain in ETH and it remains on the blockchain for given amount of time.
Wait… Don’t you said it’s decentralized? And isn’t it stored on blockchain? But who should I pay for the domain name then? Exactly. The ENS domain is just a regular subdomain of .ETH with the difference that you pay in ETH for it. Please correct me if I’m wrong, but I didn’t find any indications that this is not true.
Note: ENS offers to assign a BTC,ETH… address to your domain and this can be resolved by compatible wallets as destination address of sending money This is dangerous as it promotes wrong transaction hygiene. You should generate new receiving address for each transaction to preserve anonymity. In such scenario, you would have to update the ENS record after each received transaction, which is something what you probably won’t do, because as every manipulation with data on the ETH token it is paid in ETH gas.
The namecoin.org offers TLD .bit
Ideally, we have our private keys stored safely and in need of manipulation, we use an offline PC for this.
Yet, real world happens and private keys might be lost. This is the case where the primary benefit of e2e encrypted solutions turns out to be one of it’s biggest drawbacks. You have bitcoin, you lost your keys – you have no bitcoin. The story is sad, you lost the money, but at the end of the day nothing happens because all bitcoins are interchangeable.
The problem with domains is that once the domain is claimed by someone and the private key is lost, this domain becomes blocked forever. The domain is NFT of it’s kind and this problem is known (although surprisingly infrequently discussed) in the NFT world.
The difference is that in case of NFT whatever, you store just the hash of it to the blockchain. If this is lost, you generate the image again, change one pixel in it and mint it again. Hash is different, everything is fine.
The domain however is a string, such as mine kabele.me. If I wrote the ownership of this domain to the blockchain and then lost my key, my best try would be to claim ownership of kabele1.me or kabelf.me. Yet, you spot the difference on the first sight, not to mention that all hyperlinks must be adjusted to this new domain etc.
For this purpose I suggest limited validity of the domain claim. It has to be large enough time to not make it annoying with renewals, but also small enough so you will possibly be alive at the time the contract times out. Let’s think about some TTL parameter in range 1 month to 5 years
If this system shall be adopted, it must be available to the wide public with zero effort. Keep in mind that current DNS infrastructure is anything but simple. The claims about increased durability of the decentralized system are cool, theoretically correct, but the competition is 30 or more years mature technology.
The common motivation for distributed technology is its resistance against censorship imposed unilaterally by single big player, either corporation or government.
This technology may bring such resistance if implemented properly, but it has also serious drawbacks as described in previous sections. When we realise that there are sites such as The Pirate Bay, which is hunted down by both enterprise players and government agencies sponsored by them. And yet, despite the fact of being hunted, the PirateBay still exists. This example gives a chance that a complete ban of certain service is hard even now.
I personally don’t believe that distributed DNS service will take over the traditional DNS as we know it today. It certainly brings some benefits, but most interested parties, end-users and corporates, will certainly prefer the convenience of standard DNS services.
This ideological fight is nothing new under the sun. Take a look at the nothing vs. S/MIME vs. GPG mail signing solution popularity and you’ll realise that most people prefer simplicity over privacy/security.
If you find any false claim in this text, please contact me at my email (available on the web).