ICANN FAIL

I've never been a fan of ICANN.  They're a ludicrously costly organsisation whose "authority" stems from administrative stewardship for some of the internet's universal namespaces.  As I used to point out: ICANN costs millions to run every year and their job is to make very occasional changes to small text files - a job I'd happily do for a fraction of the cost.

As someone with some background in net-ops I've always understood that the most elegant bootstrap for a distributed, de-centralized, system is a conservative and tightly controlled hierarchical namespace with a minimally small root.  Authority for the DNS namespace isn't granted by governments (with the exception of the US Dept of Commerce) or international treaty.  There's no real "root" to the authority ICANN that claims, it's “a consensual hallucination experienced daily by billions” (to use a phrase that others have borrowed from William Gibson).

The authority for management of the DNS namespace is granted by whoever runs the root servers.  The root servers are determined by whatever resolvers think they are.  The resolvers are usually informed by "root.hints" (a file distributed with Bind) that bootstraps the chain of authority when a nameserver is started.

Who's the kingmaker here?  It's just as much the ISC (makers of Bind), as it is the ops staff configuring the nameservers, as it is the company determining their policy of which root to use, as it is the customer complaining he can't send email.

The prevailing attitude is, for the sake of operational sanity, keep using the ICANN root.

Limited experiments in increasing the number of gTLDs (generic top-level domains, as opposed to country-based domains) have been shown to benefit two groups - name registrars and international trademark lawyers - an insignificant number of people as a percentage of Internet users, but whose interests are hugely over-represented at ICANN.  I'd argue that, at best, new gTLDs such as .biz have provided no benefit to the public - and are dominated by registrations by either spammers and scammers (hopping from one blacklisted domain to the next) to purely trademark protection registrations.  And each new gTLD pulls us further from de-centralization, which (in theory) impacts internet stability.

The theory of "bigger root = less stability" is one I personally subscribe to.  Others point to the successful management of ".com", a huge flat namespace, as proof that DNS is robust enough to have a root namespace of millions.  They may well be right, but increasing the root of an authoritative namespace like DNS isn't something we can retract.  If they're wrong, we're screwed - simple technical clarity that only years of being a grumpy sysadmin can provide.

I've been online on two occasions when the .com servers have failed.  My observations at the time were that this did have some knock-on effect to .uk domains - but largely .uk stuff was working fine.  Smart hostmasters have authoritative nameservers under at least two different TLDs precisely for this reason.  Localization of failure is the benefit of distribution and de-centralization.

With the recent decision by ICANN to flatten the namespace they've shown themselves (in my eyes) to be unsuitable stewards of the root.  In my mind (and perhaps others) they're shifting from "de facto root" to merely the "dominant alt-root" - no more legitimate than any other.  It's clear that if any authority is going to be claimed, it's going to come from somewhere like the ITU or UN.  International bodies like this are, by their nature, slow moving and conservative - exactly what namespace management needs.

And for alt-roots - now is your time.  Set up new alt-root servers, grandfather the ICANN root as of this date, then charge hefty administrative fees to include any of the new ICANN-approved domains (registrants can clearly afford it).  If you're a large ISP already running a good few resolvers this is a potential new revenue stream - it's practically free money.

In fact I've always suspected it was the secret business plan for OpenDNS.