<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body text="#333333" bgcolor="#ffffff">
<font face="Helvetica, Arial, sans-serif">David,<br>
<br>
Let me respond to you in two parts. In the first, I will temporarily
agree with all of your tech/ operational arguments, and in the second,
through a separate email, make some comments on tech/operational
issues, and also seek some clarifications.<br>
<br>
You suggest that US really cant do anything significant to the global
Internet traffic, such is the way in which the global Internet is
structured. So, if indeed the bearer of the oversight role (defined as
the functions done in this regard by the US) can do no such potential
interference or harm, why would anything change if instead of the US,
an international body, duly constituted under international law (that
needs to also be signed by the US as well), gets to exercise the
oversight role. Especially when the same international law would
guarantee the broad principles of the present model as well as lay out
clear procedure to exercise the oversight function, both of which do
not exist in any internationally guaranteed way at present. I have a
feeling that I have said this before, but havent got a response.<br>
<br>
I suspect that you, or some others, would say that any such an
international body will soon get into some monkey business and cannot
be trusted. On the other hand, we, unhappy with US's unilateral
control, hold that the US, whether it has done so or not till now, is
likely to get into some monkey business with its oversight power. <br>
<br>
Now, lets look at a comparative picture of the two alternatives. We
know that US has been planning what has been called the Internet Kill
Switch bill, has sought interference with DNS system to enforce IP,
enforces unilateral sanctions on other countries, and imposes sanctions
on those countries who do not impose sanctions on countries that US
want them to (it did so recently with regard to Iran), </font><font
face="Helvetica, Arial, sans-serif">regularly </font><font
face="Helvetica, Arial, sans-serif">sends killer drones across
international borders with huge collateral damage, has systematically
used extremely potent software viruses against foreign
targets............<br>
<br>
On the other hand, an international body carefully constituted, will be
completely bound by its constitutional law, have US, EU (and other
'good' countries on board without whose consent nothing can be done),
have due procedures clearly and transparently laid out (let us agree to
not agree to anything less than that for such a body), have its minimal
role fully defined (which cannot be changed without US and other 'good'
countries agreeing), and so on....<br>
<br>
One can take ones pick. <br>
<br>
So, the point is, if you really think that, to quote, '</font> there
actually is no control, oversight or otherwise'<font
face="Helvetica, Arial, sans-serif"> why not accede to the little,
inconsequential demand of non US countries to be treated equally and
democratically, which kind of democratic impulse I think would be
native to most of us. Why not let them all together exercise this, as
per your argument, purely symbolic, non-control and non-oversight. Just
to make us feel happy and equal, even if the demand may be coming out
of some deep post-colonial socio-psychologies and has no material
implication or worth. Why not just indulge us a bit, when there seems
to be no cost in doing so. <br>
<br>
I simply fail to understand why when such an international system is
suggested, some very evil and formidable demons appear all around us
(look at the the ITU or even CIRP discussions), and then they </font><font
face="Helvetica, Arial, sans-serif">suddenly </font><font
face="Helvetica, Arial, sans-serif">completely disappear when a
possible abuse of the US's oversight position is being discussed. <br>
<br>
parminder <br>
<br>
</font><br>
On Tuesday 12 June 2012 11:54 PM, David Conrad wrote:
<blockquote
cite="mid:D59C9139-9593-40BB-BA75-E2A4EA42B7C6@virtualized.org"
type="cite">
<pre wrap="">Parminder,
On Jun 12, 2012, at 7:53 AM, parminder wrote:
</pre>
<blockquote type="cite">
<pre wrap="">In any condition that US law and executive power considers special - whether IP enforcement or security/ warfare related, all US based root servers will be obliged to fall in line.
</pre>
</blockquote>
<pre wrap="">
I'll admit some difficulty understanding the actions you argue the USG would be forcing root servers to comply with. Could you provide a concrete example of what you're concerned about?
</pre>
<blockquote type="cite">
<pre wrap="">Although David says DNSSEC does not change this situation at all, from his own description of the processes involved, I see that DNSSEC implementation greatly increases the various costs of non publishing of the authoritative root file as communicated from Verisign's server.
</pre>
</blockquote>
<pre wrap="">
I'm sorry I'm not explaining things clearly enough. Let me try it this way, completely ignoring the role the root server operators may (or may not) play since you find that unconvincing:
Assume the USG forces Verisign to remove .IN from the root zone. A query for <anything>.IN will then result in a "name error" response being returned to the querying resolver (typically operated by ISPs). With DNSSEC, some cryptographic data is also returned that allows the resolver to prove (in the mathematical sense) that the holder of the root zone signing key (Verisign) agrees that the "name error" should be returned. Without DNSSEC, you still get the "name error", the resolver just can't prove that's what the holder of the zone signing key intended.
So, we now have a root zone(provably, if you bother to verify the DNSSEC data) without .IN in it. Let's say you run an ISP anywhere in the world. Now, _all_ of your customers that attempt to connect to any website in the .IN domain will get "name does not exist" in their web browsers, email programs, bittorrent clients, etc. Your customers are probably not going to assume it is because the USG removed the .IN domain, rather they're more likely going to assume you screwed up somehow and call you to scream at you. After a sufficient number of calls (which, depending on the scale of your ISP, will probably be from minutes to hours), you'll most likely fix the problem for your users by getting a copy of the root zone, reinserting the .IN data into that copy, and putting that root zone on your resolvers.
Since you have fixed the problem in your resolvers, the fact that the root zone is DNSSEC-signed is completely irrelevant. DNSSEC only protects the resolver's cache from getting crap data inserted into it. Your customers, by using your resolvers, trust you to return accurate data. The _vast_ majority of those users will never see DNSSEC-related information since the resolver strips that information out when responding to client (e.g., web browser) requests. For those users that actually know enough to request DNSSEC information, they will undoubtedly know enough to solve the problem the same way you did.
So, the end result of the action taken by the USG is to completely remove the USG from any role in administering the root zone while at the same time generating vast amounts of (both domestic and international) outrage and destabilizing the Internet. The USG would want to do this because?
</pre>
<blockquote type="cite">
<pre wrap="">Do you still think other countries can trust the US with oversight control over such a vital infrastructure as the Internet?
</pre>
</blockquote>
<pre wrap="">
The part that I believe you're missing is that there actually is no control, oversight or otherwise. Because of the decentralized nature of Internet operations, the Internet only works because everyone (primarily ISPs) agrees that it should work (what Mitch Kapor termed "The Tinkerbelle Effect" at a meeting back in the early 90s). In my view, the role ICANN plays (or, perhaps more accurately, was intended to play) is to allow people to get together to agree on how a part of the Internet should work and my impression is that the USG merely tries to ensure ICANN follows its own policies and procedures to do this. Your assertions that the USG is going to go rogue and force bad things to be done to the root of the DNS ignores the fact that those bad things only have effect if everyone (primarily ISPs) all around the world agree that those bad things should occur. I am a bit skeptical this would occur.
Regards,
-drc
</pre>
</blockquote>
</body>
</html>