DNS is probably the wrong word. You want some new method of name resolution, not DNS.
The thing with DNS is that it actually works pretty well as a distributed system. There are a bunch of different people responsible for different TLDs. If the operator of one TLD is censoring you, you can use a different one.
There are really two primary concerns with DNS. The first is that even if you have a domain using a TLD whose operators are unwilling to censor it, local DNS resolvers can still try to block it. This is not that hard to fix; either use a DNS server in a different country or (if your network blocking non-local DNS) do your DNS queries over Tor or some other secure proxy. It's also one of the things that DNSSEC or DNSCurve are supposed to prevent, if anyone would ever get around to implementing either of them. So this is solvable but non-ideal because it requires all the individual end-users to do something.
The second problem is that ICANN doesn't allow just anyone to operate a TLD, which means that the TLD operators themselves become choke points. Then censorial entities who see a TLD operator refusing to censor can put pressure on them (or their home country's government) to try to force the censorship.
So what you want is really to replace ICANN and the TLD operators with something more distributed, but the question is, with what? If you want a memorable but globally unique name then you need some method for everyone in the world to agree who it is that name should refer to. Right now the method is "if the name ends in .com, it refers to who Verisign says it does" and so on for other TLDs. You have trusted entities who can authoritatively determine who controls the domain.
I think (someone correct me if I'm wrong) that namecoin is trying to fix this with something along the lines of bitcoin, where whoever uses a name first gets to keep it. The problem there is that you need a way to make sure when it becomes popular you don't end up with a land grab and all the reasonable names end up in the hands of scammers and squatters, and I'm also not sure how they're addressing transferability and abandonment.
Just thinking out loud here, but how about this: Create a version of ICANN that works like IETF. No relationship to ICANN other than to refuse to issue TLDs that have already been issued by ICANN (and hopefully vice versa). Then, if you want a TLD, you can go to this group of people (who are maybe people like EFF members or well-known security researchers or activists) and they come to a consensus about whether you should get the TLD. So if EFF asks for ".eff" they get it. If ACLU asks for ".aclu" they get it. If La Quadrature du Net asks for ".lqdn" they get it. If Debian Foundation asks for ".debian" they get it. FSF gets ".fsf" on and on. But if some scammer asks for ".bank" they can go pound sand. Maybe make them sub-domains, so you end up with ".eff.foo" and they all end in ".foo" (insert whatever you like) to reduce possible collisions with ICANN. The idea will be to have domains outside the control of ICANN or anyone in particular and issue several hundred to generally well-known and trustworthy entities who are likely to resist censorship efforts. Then those entities can issue "wikileaks.aclu" and "wikileaks.eff" to wikileaks etc., so censoring them requires censoring all the anti-censorship organizations.
Once the working group assigns a TLD, they no longer have any involvement. They don't operate any technical infrastructure. All they do is publish the name of the domain and the public key of the entity it's assigned to (which can be used to sign domains in the TLD), to serve as the authority for resolving namespace collisions. Once an assignment is made it's permanent and irrevocable. The assigned organization's public key gets published and browser and OS vendors start including it and using it to authenticate domains in the TLD, resolved using whatever distributed system you like (that part is basically a solved problem) to map names to addresses.
I suppose you could have an even less centralised system to resemble Tor hidden services. This transcript of Assange and Schmidt's meeting discusses this at a certain point, just grep for 'hash'[1]. That way the domain name itself is proof of its authenticity.
Couldn't you also have something akin to bitcoin's blockchain, where the identity of a domain is agreed upon by the majority of the creators of the blockchain? I don't know what the equivalent of mining would be though. Assange also suggests how domains could be made hard to make, so that they can be 'mined', creating scarcity so that "some arsehole" doesn't "register every short name themselves"[sic].
>I suppose you could have an even less centralised system to resemble Tor hidden services. This transcript of Assange and Schmidt's meeting discusses this at a certain point, just grep for 'hash'[1]. That way the domain name itself is proof of its authenticity.
Using a hash as the name can be useful, especially where the name is only being read by a machine, e.g. you post a link and somebody can just click it, or it's part of your app which you're only using instead of an IP address in case the IP address changes. Or you can put it in a QR code or use NFC on mobile devices etc. The trouble is that it causes the name to be full of encoded data and humans can't remember it. You would still like some way of using memorable names for instances where someone is going to have to type the thing.
>Couldn't you also have something akin to bitcoin's blockchain, where the identity of a domain is agreed upon by the majority of the creators of the blockchain? I don't know what the equivalent of mining would be though. Assange also suggests how domains could be made hard to make, so that they can be 'mined', creating scarcity so that "some arsehole" doesn't "register every short name themselves"[sic].
I was thinking about something like that, it seems like the trouble is how do you calibrate the amount of work to be done. If you make it massive (like $200,000 worth of CPU time on Amazon) then you're excluding a lot of the people you wouldn't want to exclude, or causing them to waste a lot of money. But anything significantly less formidable just isn't going to solve the problem -- at $200 you can still imagine a slew of jackasses registering all the short names. Especially when they're evildoers who are using a botnet and don't actually have to pay anything for the computing resources. And that also doesn't solve the problem of scammers getting ".bank" or ".irs" or something, where the point isn't that they're getting too many names, it's that they're getting unreasonably misleading names.
I was thinking about this for a while and I suspect many others as well. We don't really need icann in the current form. I appreciate your thoughts as they provide insight into ways to go about it that I wasn't thinking much.
What others said, something like a service behind tor, which would be immune to government interference (to a point obviously) and that would provide flexible name resolution. I think you touch on that quite a bit by saying you would give tld to anyone who asks first. I think ability to get name that is yours without affecting others who would like that name is essential.
re: "The problem there is that you need a way to make sure when it becomes popular you don't end up with a land grab and all the reasonable names end up in the hands of scammers and squatters, and I'm also not sure how they're addressing transferability and abandonment."
.bit domains do expire approximately every 9 months I believe, unless you spend more namecoins to re-register them using your private key in which case you re-register said domain for 9 more months.
Abandonment happens if you no longer own the private key used to register the domain and/or you no longer make payments into the network.
This is good, the problem is "and hopefully vice versa". ICANN can break this by grabbing contested names and counting on the fact that 99% of users will see what they want them to.
Not really. For anyone whose device supports the new name resolution system, if the TLD it's doing a look up on is associated with a public key then there would be no reason to even use normal DNS (which is significantly less secure because it has no widely implemented method to verify that the response is authentic).
The thing with DNS is that it actually works pretty well as a distributed system. There are a bunch of different people responsible for different TLDs. If the operator of one TLD is censoring you, you can use a different one.
There are really two primary concerns with DNS. The first is that even if you have a domain using a TLD whose operators are unwilling to censor it, local DNS resolvers can still try to block it. This is not that hard to fix; either use a DNS server in a different country or (if your network blocking non-local DNS) do your DNS queries over Tor or some other secure proxy. It's also one of the things that DNSSEC or DNSCurve are supposed to prevent, if anyone would ever get around to implementing either of them. So this is solvable but non-ideal because it requires all the individual end-users to do something.
The second problem is that ICANN doesn't allow just anyone to operate a TLD, which means that the TLD operators themselves become choke points. Then censorial entities who see a TLD operator refusing to censor can put pressure on them (or their home country's government) to try to force the censorship.
So what you want is really to replace ICANN and the TLD operators with something more distributed, but the question is, with what? If you want a memorable but globally unique name then you need some method for everyone in the world to agree who it is that name should refer to. Right now the method is "if the name ends in .com, it refers to who Verisign says it does" and so on for other TLDs. You have trusted entities who can authoritatively determine who controls the domain.
I think (someone correct me if I'm wrong) that namecoin is trying to fix this with something along the lines of bitcoin, where whoever uses a name first gets to keep it. The problem there is that you need a way to make sure when it becomes popular you don't end up with a land grab and all the reasonable names end up in the hands of scammers and squatters, and I'm also not sure how they're addressing transferability and abandonment.
Just thinking out loud here, but how about this: Create a version of ICANN that works like IETF. No relationship to ICANN other than to refuse to issue TLDs that have already been issued by ICANN (and hopefully vice versa). Then, if you want a TLD, you can go to this group of people (who are maybe people like EFF members or well-known security researchers or activists) and they come to a consensus about whether you should get the TLD. So if EFF asks for ".eff" they get it. If ACLU asks for ".aclu" they get it. If La Quadrature du Net asks for ".lqdn" they get it. If Debian Foundation asks for ".debian" they get it. FSF gets ".fsf" on and on. But if some scammer asks for ".bank" they can go pound sand. Maybe make them sub-domains, so you end up with ".eff.foo" and they all end in ".foo" (insert whatever you like) to reduce possible collisions with ICANN. The idea will be to have domains outside the control of ICANN or anyone in particular and issue several hundred to generally well-known and trustworthy entities who are likely to resist censorship efforts. Then those entities can issue "wikileaks.aclu" and "wikileaks.eff" to wikileaks etc., so censoring them requires censoring all the anti-censorship organizations.
Once the working group assigns a TLD, they no longer have any involvement. They don't operate any technical infrastructure. All they do is publish the name of the domain and the public key of the entity it's assigned to (which can be used to sign domains in the TLD), to serve as the authority for resolving namespace collisions. Once an assignment is made it's permanent and irrevocable. The assigned organization's public key gets published and browser and OS vendors start including it and using it to authenticate domains in the TLD, resolved using whatever distributed system you like (that part is basically a solved problem) to map names to addresses.