Formally, a query that gets a cache hit is the same as one that
doesn't: It is a DNS query. The fact that the retrieval is
successful at the local store (cache) simply does not affect the
underlying model, no matter how many cross-net interactions with an
actual DNS server it saves.
Understood, then. So; returning to your original question, I do not
know of any discovery mechanism *currently* under consideration,
though I *do* hope to write a Tor plugin and submit it for inclusion
once v.Next is well-formed enough that I can count on the specs in
place staying the same long enough to be worth working with.
Whether that would be considered *likely* to come under consideration
is a question I cannot answer.
Hmm . . . but *which* DNS system?
There's more than one?
Sure! Even discounting a user's hosts file (handy for setting up test
servers) and corporate intranets that bounce a subset of users to an
address inside their firewall, the so-called "rogue" (because they
report different results) domain name servers cannot be assumed to
ALL have malicious intent; some of them might be providing an
internet that runs parallel to the Internet most people are familiar
with. Peer-to-peer DNS has also seen interesting ideas, and it's not
as if the centralized domain name servers would have automatically
become aware that such a thing was happening.
(Many of us, finding an open port that claimed to be running DNS,
might even think "accidental security hole" before we thought
"rogue"; a misconfiguration of an inadequately documented alternative
DNS might leave it claiming to be authorized by the same upstream
servers we *usually* see, and prior to DNSSEC was there really any
reliable way of noticing differences?
No domain names, or strings that look like domain names but *can't* be
looked up through the usual DNS?
The latter exemplifies the distinction I cited, between name
registration -- reserving a name from the namespace -- versus doing
a query using the DNS protocol to a DNS server.
In both cases, starting (in one case, ending) with DNS; got it so
far. Could get confusing if some of the servers don't realize they're
issuing contradictory responses for the *same* namespace; again,
though, this is stepping outside of what is generally understood to
be "the real world".
(Could get very interesting as DNSSEC gains traction though!
Precedence shouldn't be a problem with everyone looking at the same
root servers (disputes settled that way), but one can easily imagine
two (or more) very large, long-entrenched DNS systems colliding
during the DNSSEC adoption, creating an irreconciliable conflict.)
Much more likely, though, that DNSSEC will help prove the lack of any
such things :)
-Shade
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
