If we take a step back, we could say that the whole Verisign incident demonstrated pretty clearly that the fundamental DNS premise of having no more than one root in the namespace is seriously wrong. This is the fallacy of "universal classification" so convincingly trashed by J.L.Borges in "The Analytical Language of John Wilkins". Sigle-root classifications simply do not work in real-world contexts. On a more practical plane, as long as there is a central chokepoint there will be an enormous advantage for a commercial or political interest to control that chokepoint. As Internet becomes more and more important, the reward for playing funny games with the top levels of the name space are only bound to get higher. I do not want to play a Nostradamus, but it is pretty obvious that it's likely to be sooner than later that there will be an incident in which a bribed or planted Verisign employee aids a massive identity theft on behalf of a criminal group. And that we will see politically-motivated removal of domain names (my bet is that porn sites will be targeted first). How about twiddling NS records pointing to sites of a political party not currently in power? DNS is no longer a geeks sandbox, it lost its innocence. The Name Service is engineered with this fatal weakness. It cannot be fixed, as long as it depends on any central point. It already has many problems with trademark and fair competition laws. In some countries, national DNS roots are controlled by secret police. It is a good time to stop patching it, and start thinking about how to address the root cause of the problem: namely, that there's no way for an end-user to choose (or create) his own "root" of the search space. (The implication is that names become paths - which matches human psychology quite well, considering that we posess an evolved ability to navigate using local landmarks). In fact, we do have an enormously useful and popular way of doing exactly that - this is called "search engines" and "bookmarks". What is needed is an infrastructure for allocation of unique semantic-free end point identifiers (to a large extent, MAC addresses may play this role, or, say, 128-bit random numbers), a way to translate EIDs to the topologically allocated IP addresses (a kind of simplified numbers-only DNS?) and a coordinated effort to change applications and expunge domain names from protocols, databases, webpages and such, replacing URLs containing domain names with URLs containing EIDs. This way, the whole meaning-to-address translation chain becomes decentralized and absolutely resistant to any kind of deliberate monopolozation (except for scale-free networking effect). And, in any case, I would trade Verisign for Google any day. --vadim