Can Blockchain Democratise dot-COM?
If you are unfamiliar with who Verisign are, they are the guys who run dot-COM. This means when you pay for a dot-COM domain name, they are the ones collecting the lion's share of the money.
Despite the prices in dot-COM being capped – currently $7.85 per year, fixed until 2018 – the sheer numbers involved makes this an extremely lucrative business for them. Giving them a disproportionate amount of control over ICANN, DNS and the internet in general.
Right now they are quoting 145,862,088 names in both COM and NET – so, yes, that really is $1,145,017,390.80 (US) – and that's per year, every year and pretty much guaranteed. They don't really have to do much in the way of sales, marketing or promotion – dot-COM is one of those very few products that really does sell itself.
But what Verisign do have to do is keep it running – something they do very well. Outages in COM and NET are almost unheard of. The service has to swift and reliable, and they do a good job of that. But it could be argued that they represent an extremely vulnerable single-point-of-failure in the Internet and their hugely disproportionate amount of power allows them to ensure things stay that way, despite the disadvantages to the rest of the industry.
So let's take a look at the roles they undertake
Role-1 - Maintaining the database & managing the transaction (new, renew & transfer)
As an application goes, running a top-level domain registry is a relative straight forward database application. So its not hard to get it right, from a technical perspective. But this is also the part of the business that could easily be switched to run in a blockchain.
With a blockchain, when domain names are traded, these trades would be recorded in the cryptographic ledger and would be there for all to see.
A blockchain distributed network could be run by a consortium of the larger registrars, the likes of GoDaddy, NameCheap, name.com, register.com, TuCows, Enom and so on. This would immediately give the benefit of removing the single point of failure and reducing the cost to the registrars. It would also make the managment of dot-COM open and available to all.
Dot-COM churns about 100,000 domains per day – 100,000 domain names are added in and 100,000 drop out. Currently the bitcoin blockchain handles about 250,000 to 300,000 transactions per day. Although some have argued it is struggling to cope, Bitcoin have clearly proved that the technology is capable of this kind of workload.
A blockchain ledger would also give the participating registrars access to the entire database, which could improve the performance of their transactions.
It would also give the option of blockchain peers operating outside of the US, allowing much faster access to dot-COM transactions for non-US based businesses.
Role-2 - Publishing the Zone Data in the DNS
Publishing the COM zone data in the DNS is the process by which the rest of the world is able to access dot-COM websites and other services.
The maintenance of this live data is a reasonably complex task, but is certainly not outside the skills of the likes of Google and the larger ISPs. They could then either voluntarily make their copy of the zone data available to others, or provide DNS access as a chargeable service.
Using Anycast networking, it is possible for multiple entities to publish the same DNS information on the same IP Addresses, and smaller ISPs could select which publisher to peer with, in order to get the most reliable access to the COM zone data.
An interesting project, that has come out of the Ethereum group, is the concept of publishing actual DNS data in a blockchain, but its still in the early stages and there are still some questions over trust and modification permissions.
Role 3 - Signing the DNS (DNSSEC)
Once the DNS data has been generated, it must be signed. A zone that is signed can have its published data cryptographically verified by anybody, ensuring the content of the data can be trusted.
Anbody can verify that the DNS data they have is what the original publisher actually published. Meaning you can prevent all sorts of DNS Spoofing attacks, like a Cache Poisoning Attack.
In a Cache Poisoning Attack, an attacker forces a DNS server to ask a specific question, then bombards it with fake answers in the hopes that one of the fake answers will be believed, and end up sending the users to a fake site. This form of attack was made famous by Dan Kaminsky's working proof-of-concept in 2008.
DNSSEC uses an RSA style public /private key with a finger print of the public key published in the parent zone. This raises a potential problem. The standard way to sign the zone requires that a single entity holds the private key in a secure way so as to protect the integrity of the signing process.
However, an interesting project called Yeti, successfully proved the possibility of having a single zone signed by multiple entities, each using their own private key, and the zone would still be publicly verifiable using standard DNS software.
This exploits a feature of DNSSEC that was originally intended to allow for Key-Roll-Over. Key-Roll-Over is a process in which the signing entity ensures on-going security of their keys by regularly replacing the private key. Key-Roll-Over is supported by temporarily holding multiple finger prints for the zone in the parent zone.
In the case of a decentralised dot-COM, each of the Zone Publishing providers (described in Role-2) would generate and hold their own private key and sign their copy of the COM zone data using their own key. In turn the parent zone (in this case, the ROOT zone) would hold a separate key finger print for each Zone Publisher ensuring their keys are all cryptographically verifiable.
Although the focus of the Yeti project was the concept of having multiple entities sign the ROOT zone, their conclusion was that they had proved the concept works. And if it works for the ROOT zone, it will certainty work for the COM zone.
What are the benefits?
- … Removing a single point of failure.
- … Democratisation of both the COM zone and DNS in general, by the removal of a single very powerful entity.
- … More even distribution of the wealth created by dot-COM, giving the registrars more room for discounting and increasing competition.
- … Blockchain could be used to escrow domain trades reducing fraud in domain transfers and allowing cryptographic verification of proof of ownership
- … Anybody who wanted to, could get access to live authoritative dot-COM trading or DNS data makign it harder to spoof or defraud.
- … There is a company with an annual income of $1B+ that would strongly resist any change!
Democratisation of dot-COM and the removal of the single point of failure is an interesting intellectual exercise that not only provides some benefits but is also perfectly possible. However, it is highly unlikely to ever happen.