One thing that I'm worried about is InterNIC. As I understand it, it is a central company that is in the business of receiving domain name registrations, including the info on what that domain is connected to, and sending it out to various nameservers. The nameservers then use this to route some (not all, I do believe) traffic.
Close, but not quite. The role that the InterNIC serves is to register domains and to maintain the top-level mappings. It is from InterNIC that the root-level nameservers load info regarding which domains are served by which nameservers. The way this process works from any particular users point of view is as follows: 1) You request that the host name www.foo.bar be resolved to an IP address. 2) Your TCP/IP software checks its local cache (if any) to see if it already has the requested information and if so it returns it without doing a lookup [there are timeouts and other bits involved but this is the simple version] 3) If a lookup is necessary your TCP/IP software digs up a pre-defined name/number for who is should ask. This is the info that you enter into a resolv.conf file in unix, a MacTCP DNS setting, etc. It is usually the nameserver for your internet service provider or a local nameserver for your network. Once the resolver knows who to ask it formats a query and sends it off. 4) This nameserver checks its cache to see if it already has the info and if not it forwards the request to another nameserver. Eventually the request hits a root server; the root servers then check the domain name against their tables (the ones it loaded up from the NIC) and forward the request to the appropriate nameserver. 5) Eventually the request is forwarded to a nameserver which is able to give an authortative answer for this domain and the result is sent back to the original requester. At any point in this chain it is possible for someone to decide who will give the authoratative answer for this domain. It is possible for you, the requester, to decide for yourself who will be asked. All you need to do is to add whatever nameserver you trust early into the query chain and that server will be asked first and only if it does not answer authoratatively will the regular nameservers be asked to resolve the request. The DNS system represents to oldest digital reputation system I know ot. It is _all_ about trust; if you think that someone is giving out bogus information or you want your answers to come from someone else it is trivial to change the way your nameservice is configured so that lookups happen in the manner that you want. No one can control how names are resolved into numbers unless someone else grants them that power. There was a minor rebellion among the internet service providers this fall when the NIC announced that they would begin charging for their services and it flares up every now and then when some of the larger independant ISPs begin to feel that the NIC is favoring the major players like MCI, Sprint, et al. when it comes to address and routing blocks and other name/IP number issues. The point that is frequently raised to keep the NIC in line is that there is nothing preventing these providers from going out and doing whatever they want, whether it be establishing new root servers, allocating whatever numbers they want, or just plain ignoring that the NIC exists. And there would be absolutely nothing that InterNIC could do about it, because that is how DNS works. The biggest problems that would occur would be when there was a conflict in the namespaces served (e.g. your lookup for www.foo.com returns one number when a InterNIC served root nameserver responds and another when a different set of root nameservers respond) and the number that would be returned would depend entirely on which nameservers your query asked to get the answer. In short, it would depend on who you decided to trust... On a more cypherpunk-related note, it is actually quite trivial for you to create your own shadow domains which are completely private to whatever group you want. If you want to create the foo.cypherpunk domain you can do it just by downloading the BIND nameserver code and settting up a nameserver which answers queries for the top-level .cypherpunk domain. All that is required for someone else to resolve names in this set of domains is for them to know that a .cypherpunk address needs to be resolved by the nameserver you created (which involves adding only a single line in every DNS config system that I know of.) It is also difficult for any authority to mandate that certain nameservers be used because the entire system is already so distributed as to make such a mandate useless (it would also cause such a performance hit for net connections that it would be about as effective as the old 55mph federal speed limits :) jim -- Jim McCoy mccoy@communities.com