Sitefinder II, the sequel...

Steven M. Bellovin smb at
Tue Jul 11 03:40:02 UTC 2006

I'll demur --- I don't much like it, for several reasons.

The first is that it *does* present a different view of the One True
Tree.  I've been saying for years -- among other things, in the context of
Sitefinder, alternate roots, and other things -- that the DNS was designed
under the assumption that there's one namespace.  Anything that presents
different results will result in confusion.

The second is the precedent that's set -- who gets to decide what zones
are excluded from the tree?  OpenDNS?  Sure -- and to whom do they
listen?  Are any sites to be ruled out on political grounds?
Ideological?  Not today, sure, and (I assume) not by OpenDNS -- but what
if some misguided legislature passes some law?  Bear in mind that *by U.S.
law*, libraries that receive federal funding *must* install certain kinds
of filters.

The third is that not all the world is a web site.  I send email, do IM,
ftp, ssh, SIP, imaps, pop3s, and assorted other weird protocols.  (I'm
having trouble doing SIP from my hotel tonight.  I wonder if that's a
coincidence.  The server worked just fine from the IETF venue a few hours
ago.)  OpenDNS, like Sitefinder before it, is optimized for web users.

A fourth is that most consumers don't have a realistic choice; they use
whatever DNS server their ISP gives them.  Furthermore, they have little
choice of ISP.  In the U.S., people are lucky if they have two choices,
DSL from the local monopoly telco or cable modem service from the local
monopoly cable TV company.  You might not like the service; you may get it
anyway.  (Yes, I read their instructions how individuals can start
using the service.  I frankly don't believe that that will happen at a
large enough scale to make a viable business.) This doesn't apply, of
course, to corporate decisions regarding the employee experience, but that
doesn't strike me as the market this is aimed at. (Their privacy policy
appears decent, but I couldn't tell if they build up user profiles which
they use for their ads.  The Privacy Policy didn't seem to say, one way or
another; the Terms of Service requires accurate registration instructions,
which is sometimes done for profile-based advertising.  I can't tell, nor
do I know what they can or can't "look our mothers in the eye about", to
use their phrase.)

Fifth, the service doesn't work properly in the presence of DNSsec.  They
can't return proper NXT records, nor can they realistically sign their own
responses except for certain *very* common typos.

Yes, this is better than Sitefinder, because it's not forced on the entire
Internet.  However, it shares many of the same flaws.

More information about the NANOG mailing list