William, You bring up a GREAT point. Nobody likes sharing their customer list, although clearinghouses, in order to get provider customers need to at least share their payer connectivity list.
But the DNS has a clear advantage here. Let me explain a few more technical details. Time to get a drink to wash the popcorn. Normally, since the DNS servers are a very critical resource, each domain has at least two DNS servers, one considered "primary" and the other "secondary". Most DNS queries go to the primary server, but if the primary server does not answer in a reasonable time (2-5 seconds) then the query is sent to the secondary, assuming the primary may be down. Important domains, or domains that have a "critical" nature will have one primary and several secondary DNS servers. When you configure a DNS server you can leave it open to "zone transfers" or limit the "zone transfers" to only certain other DNS servers, typically only your secondary DNS servers. A "zone transfer" occurs when you connect to a DNS server and ask it to give you a complete copy of all its DNS information. This gives you an exact image of everything the server knows about a domain, including the names and IP addresses of all the hosts in that domain. This service is necessary for the information to cascade down from the primary DNS server to the secondaries. But if the "zone transfer" mechanism is open to the world, anybody can connect to your DNS server and take a look at the name and IP address of every one of your hosts, and this opens the door to a subsequent attack to each of those machines. So, in order to provide a little better security, the "zone transfers" are normally only allowed from the primary to the secondary DNS. However, even with restricted "zone transfers", anybody can connect to the DNS server and ask for the existence of a specific host, as long as they know the exact host name to begin with. The DNS server responds with the IP address or the MX record or other information requested. It is like the difference between having a phone book and calling directory assistance. The "zone transfer" gives you the whole telephone book, and the normal DNS operation gives you one number at a time. The bottom line is that going to a DNS type of operation would give the clearinghouses much better control of their connectivity information because it would not reveal the entire list to everybody. This is a better security mechanism than what we have today. By now you know a lot more about DNS than you ever wanted to know. I hope it ends up being useful in finding a solution to our problem. Kepa William J. Kammerer wrote: > Thanks to Kepa Zubeldia and Dick Brooks for their enlightening > historical perspectives on the evolution of DNS. I'm thankful the > graybeards of our industry are around to share with us memories of the > old days, for surely otherwise, hubristic and callow youths like myself > would make the mistake of thinking history began with them. > > I do see another problem with the DNS proposal, besides the security > concern posed by Dick and the time constraints raised by Rachel > Foerster: would you share your customer list? If not, you can see why > VANs and Clearinghouses might be loathe to make their complete customer > list available on distributed DNS servers or an LDAP directory. > > I thought I was pushing it when I proposed auto-interconnection back on > 20 January, whereby one VAN or CH could ask another whether an entity > identified by a certain identifier was accessible via their system. I > could see VANs or CHs fighting that small reform, unless otherwise > compelled by HIPAA law to share that information. Never have I imagined > that a switch would expose the contents of their entire directory (or > customer base) - their "family jewels," if you will - in an open > directory! > > William J. Kammerer > Novannet, LLC. > +1 (614) 487-0320
