Hacker News new | past | comments | ask | show | jobs | submit login
An interview with Paul Mockapetris, the creator of the DNS (welcometothejungle.com)
74 points by wickwavy 5 days ago | hide | past | web | favorite | 24 comments

This was my favorite Q & A:

> Tim Berners-Lee [inventor of the World Wide Web] and many others have called the design of the URL clumsy because we have host.domain— welcometothejungle.com—where it’s hierarchically going from lower to higher. And then we have the path component—/en/collections/behindthecode—which goes from higher to lower. We also use a mix of periods and slashes. So Berners-Lee proposed that domain/host/path—that is, com/welcometothejungle/en/collections/behindthecode—would be a better design. What are your feelings about that?

> I designed it this way for autocomplete. My vision at the time was that people would want to do autocomplete or they might want to just type part of the domain name and have it completed in a search list of the local environment. So it would not make sense to have the country code first. It had to be the least-significant part if you’re going to have any kind of reasonable search list or autocomplete. Imagine if we were to type “com.” and then wait for autocomplete. Out of 160 million choices, there would be a pretty long pull-down menu. So in the absence of any agreement or, in my view, cogent arguments about why the other way around made more sense, I did it that way.

This guy is my hero.

I wonder if he considered that even under a domain/host/path format, an autocomplete could probably be designed to ignore the domain and search the host.

Eg, if you're searching for com/welcometothejungle/en/collections/behindthecode, just start typing "welcometothejungle" and autocomplete will find that substring and return the full URL.

Solution in search of a problem.

Whats the issue with having the domain name, an essentially flat map from name to number, going from least general to most general, and a path, representing a file system tree, going from most general down its nodes to the most specific?

Is the argument they make up two parts of a url, and thus should behave the same way? Seems a bit superficial.

Yeah if your objective is differentiate between domain and file system path then that’s one way of doing it. That might help with parse-ability, especially if your protocol allows for an optional subdomain which may or not be there, so having a clear separation b/t domain and path might be useful. Hard to know without having been there when these decisions were being made.

In the past, many DNS servers were configured so you can execute an "ls" to list the subdomains

Nowadays most have disabled that option.

Do you have any references for this functionality? I’ve never encountered something like that in the RFCs, or in any server.

So presumably nslookup -ls had some logic for finding the apex for a particular name, doing an AXFR and then filtering it to the the target name and below?

Yeah, I think it was for zone transfers. It was pretty fun discovering 'private' hosts :-)

So I have the pleasure of calling Paul a friend. One of the most interesting and insightful things he has said in a conversation about the creation of DNS to me was "if those above me had understood the importance of what we where doing it would have never happened and the project would never have been given to someone like me at my level at the time...". It is not clear he understood it at the time himself. He is a pretty nice guy. I (a networking geek that just took this cool stuff and built with it) cannot claim to have done anything special on this journey to arrive where we are today, but I have been privileged enough to know a few of the players and I can say everyone one of them while having their own arrogance, it is never misplaced and in general they just wanted to solve a problem and make stuff work better. I struggle to see that level of idealism in today's tech crowd.

> I (a networking geek that just took this cool stuff and built with it) cannot claim to have done anything special on this journey to arrive where we are today

> I struggle to see that level of idealism in today's tech crowd.

I wonder if these two are connected. The people I know who have accomplished things are rarely those who look backwards or are quick to lose faith in others, young or old.

Of course there is idealism out there. Tons of it. The eco system is just seriously bigger now, and the money grabbers get most of the headlines so you have to keep up and know where to look.

DNS is such an integral part of the Internet, when it stops working just about everything breaks down

And conversely it's more likely the culprit when things aren't working.

I'd be interested to know what he thinks about DNS-over-http (and QUIC absorbing everything TCP/IP in general if we let our browser cartel overlords have their way)

I host a DNS server in each of the HTTP app. server processes in my global hosting platform:


That way I can maintain and guarantee 100% read uptime!

Regarding DNSSEC adoption, for US names: it's less than 2%, just in terms of raw signed domains. It's lower if you're looking at adoption among popular domains.

The article claims it’s about 50% globally. So if, as you say, the US only has 2%, is that an argument against DNSSEC? That an argumentum ad populum.

It's not about 50% globally. It's like 50% of .SE, which is itself less than 25% as large as .INFO. He's guessing, and he's wrong. That's the point of my comment. I don't care what you do with the observation; he brought it up, and he's way off.

(I don't think it's weird that he's way off; I'm not criticizing Mockapetris, just correcting the stat. But your vehemence demands a direct response from me, and I'll provide it.)

I don’t know what you mean by “vehemence”, but I note that even though you said it “demands a direct reponse”, you didn’t actually answer the question.

I'm sorry, I thought I was clear. No, pointing out that Mockapetris' guess of 50% global adoption of DNSSEC is wrong is not an "argumentum ad populum". It is, as I said, simply an observation that the statistic he is venturing is wrong.

Source, as of 2020?

Not sure where he's getting his numbers from, but check out: DNSSEC validation, by country from APNIC https://stats.labs.apnic.net/dnssec

That's the number of validations, which is effectively a measure of the percentage of people using centralized resolver services that do DNSSEC validation. The figure of merit is the number of signed zones, and, in particular, the percentage of popular zones that are signed (you pick the popularity metric; whatever you choose, the percentage will be extremely low, unless it's "most popular schools and government agencies").

dnssec-tools. (Or, for popular zones, any list of popular domains and "host -t ds").

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact