<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">David,<br>
<br>
On Sunday 05 August 2012 10:40 PM, David Conrad wrote:<br>
</div>
<blockquote
cite="mid:2F7C0136-DA33-4C00-A2DA-E368182FC0B1@virtualized.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Snip)
<div>
<div><br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000">So if indeed it is
not, why not breach it and make people of the world happy.
</div>
</blockquote>
<div><br>
</div>
<div>Even if it were possible, I sincerely doubt everyone
having their own root server would make the people of the
world happy.</div>
</div>
</div>
</blockquote>
<br>
A good issue, and in the present circumstances, the right issue, to
explore. <br>
<br>
I understand that you and the technical community agree that, in the
first instance, the root servers were distributed among different
agencies primarily to avoid capture. Right!<br>
<br>
To make sure we agree on this, I quote you from your email below<br>
<br>
"The diversity of architecture and lack of centralized control is
seen as a feature as it reduces the opportunities for "capture"."
(David)<br>
<br>
And I quote an ISOC document, as something that could represent the
viewpoint of technical community in general. <br>
<br>
<blockquote>"......the root name servers that publish this zone file
are organised in a distributed and diverse fashion. No single
entity has authority or control over the operation of these
servers. This diversity and the distributed authority has been a
key element of the reliability of the root name service. Therefore
this diversity should be maintained in the face of increasing
pressure for more hierarchical "Internet Governance".
<a class="moz-txt-link-freetext" href="http://www.isoc.org/briefings/019/">http://www.isoc.org/briefings/019/</a> <br>
</blockquote>
Again, what is being suggested is that distribution of 'power' over
different entities running root servers helps avoid 'capture'. Very
well! Now we should see that this is clearly political territory,
talk of capture and distribution of power. Somebody rightly decided
that if root server operations are distributed among different
agencies and not subject to any 'single entity having authority or
control over the operation of these servers' it will be good for the
Internet, users etc. I understand that we agree up to this point.<br>
<br>
Now, it is obvious that the decision to do the above was a political
decision, including the choice of which all agencies should
operation of root servers be distributed over. It was basically a US
decision - take or give something from a compact of US gov - other
US entities. Now a few years down the line, the Internet globally
being what it is, some people think that this political decision is
not quite adequate to the current circumstances, and want a
'political' review of it. <br>
<br>
They are not satisfied that the 'capture' possibility has been
adequately accounted for. (Let us not lose sight of the fact that
the idea and possiblity of 'capture' is not an invention of their
conspiratorial minds. As above it is a prior issue central to
current design of root server ownership.)<br>
<br>
The logic of 'no single entity having the authority or control over
operation of root server' does not stand close geo-political
scrutiny, esp in today's world. 9 of the 12 root server operators
are in the US and directly and full subject to US executive's
emergency authority (believe me, they very surely are, and if we
want to argue this point, lets argue it separately, so that we dont
dilute the chain of logic here). Three root servers are outside in
US friendly OECD countries, that routinely cooperate with the US
closely in all kinds of strategic, including military and criminal,
matters. Hounding of CEO of megauploads and wikileaks come easily to
mind as instances of close cooperation in cross border Internet
manners of the kind that are not so palatable to the rest of the
world. Through OECD and other plurilateral pacts these countires are
configuring an ever closer relationship vis a vis the global
Internet. On global military and security matters, and the term
'capture' relates to exceptional but plausible global scenarios,
these countries always coordinate closely, and largely follow US
diktats, esp on real 'global' emergencies. <br>
<br>
Now, would you fault someone if he were to reason that the present
strategy against 'capture' vis a vis the operation or the root/ DNS
system of the Internet, while laudable in its initial intentions, is
not quite adequate, and is not in keeping with times. A simple and
direct political formulation. What do you say to it? This is crucial
point for us to cross, and if need be, argue and come to some common
conclusion on. This requires clear political views, not technical,
and I think we will agree to this fact.<br>
<br>
One can suggest that given the current situation of the Internet,
the very same laudable intention of avoiding capture that informed
the present root server system, when it was instituted, requires us
to change the system. Is it really all that illegitimate a political
demand. What is your response to this question? No, this is not an
aside. This is the only question that the Indian and African
minister really brought to the table, something which triggered and
underlies the present discussion. One side cant conveniently turn
the discussion around to what it wants to discuss, and calling the
'allocation of root servers' issue as a red herring as you do in
your email. Such allocation and possible reallocation is 'the' issue
we want to discuss. Of course there are other issues that you may
want to bring to the table, and sure enough, we should discuss them
too. But we cant just unilaterally pooh-pooh issues that are
considered very important by others. especially when, as shown
above, it take the very logic of 'capture' that you propose to its
logical political consideration. <br>
<br>
This brings us to the key, in fact, the original question, rescued
from under the labyrinth of all kinds of obfuscations; why cant we
either increase the number of root servers (operators) and allocate
new ones to new agencies in a manner that is globally better
distributed and more just or, if that is not possible, reallocate
the existing root servers from too many agencies in a single country
to those in others, esp in the South.<br>
<br>
This will require an examination of the following questions<br>
<br>
(1) whether the number 13 can be breached, and more root server
operators created, and/or<br>
(2) the existing root server operations can be reallocated.<br>
<br>
I believe both options are possible (but surely, at least one is
possible which serves as well), but we can discuss the technical and
political issues involved. <br>
<br>
This is the political demand from the South which cannot just be
pooh poohed by describing its ministers as ill-informed or stupid.
We seek full engagement of the civil society and other actors with
this political demand. <br>
<br>
parminder<br>
<br>
<br>
<br>
<br>
<blockquote
cite="mid:2F7C0136-DA33-4C00-A2DA-E368182FC0B1@virtualized.org"
type="cite">
<div>
<div><br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000">Even within the limit
of 13, why not allocate root servers in a geo-graphically
equitable manner, as Sivasubramanian has suggested,
especially when it seems to make no difference at all to
anyone. Why not make all these ill-informed ministers
happy. </div>
</blockquote>
<div><br>
</div>
<div>As mentioned in a previous note, the operators of the
root servers are independent (modulo "A" and "J" (through
the Verisign contract with the USG) and "E", "G", and "H"
(operated by USG Departments), albeit each of these
operators deal with their root servers differently). How
root server operators distribute their instances is entirely
their decision. To date, there has apparently been
insufficient justification for those root server operators
to decide to distribute their machines in a "geo-graphically
equitable manner".</div>
<div><br>
</div>
<div>With that said, there are at least two root server
operators ("L" (ICANN) and "F" (ISC)) who have publicly
stated they are willing to give a root server instance to
anyone that asks. Perhaps the ill-informed ministers could
be informed of this so they could be happy?</div>
<br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000">I read that there is
no central control over the 13 or at least 9 of these root
servers. Is it really true? </div>
</blockquote>
<div><br>
</div>
Yes. The diversity of architecture and lack of centralized
control is seen as a feature as it reduces the opportunities
for "capture".</div>
<div><br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000">Is the 13 root server
architecture not something that is aligned to what goes in
and from the authoritative root server. </div>
</blockquote>
<div><br>
</div>
Root server architecture is independent of how the root zone
is distributed.</div>
<div><br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000">If it is, why can
these root servers not be reallocated in the way tlds have
been reallocated. Can they be reallocated or cant they? </div>
</blockquote>
<div><br>
</div>
<div>In practical terms, the "reallocation of a root server"
boils down to transferring the root server's IP address and
telling the new owner the zone transfer password.</div>
<div><br>
</div>
<div>Before the DNS became a political battleground, root
server "reallocation" occurred (extremely infrequently) when
(a) the person to whom Jon Postel "gave" the root server
changed employers or (b) the assets of the organization
running the root server were acquired by another company.
Today, "reallocation" of a root server would either require
the existing root server operator voluntarily giving the
root server IP address to a different organization or that
IP address would have to be "taken" by eminent domain or
somesuch.</div>
<div><br>
</div>
</div>
<div>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000">I also read that the
it is not about 13 physical root servers, but 13 root
server operators, </div>
</blockquote>
<div><br>
</div>
<div>Well, 12 operators (since Verisign operates two root
servers).</div>
<br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000">so the number 13 is
about the root server ownership points, and not physical
location points. </div>
</blockquote>
<div><br>
</div>
In the sense that there are 13 IP(v4) addresses that are
"owned" by 12 organizations. Geography is largely irrelevant.</div>
<div><br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000">Therefore what is
needed is to reallocate the ownership points in a
geo-politically equitious manner. As Siva suggests,
probably one to an Indian Institute of Technology. </div>
</blockquote>
<div><br>
</div>
<div>Somewhat as an aside, my understanding is that efforts to
provide infrastructure (not root server infrastructure
specifically albeit the same folks do provide anycast
instances for a root server operator) in India were blocked
by demands for bribes greater than the value of hardware
being shipped into the country (see <a
moz-do-not-send="true"
href="http://permalink.gmane.org/gmane.org.operators.nanog/100786">http://permalink.gmane.org/gmane.org.operators.nanog/100786</a>).</div>
<br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000">Why this is not done,
or cant be done are the real questions in the present
debate. Any answers?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Sure. You are assuming a top-down model that does not
exist. There is no single entity that can dictate to the
root server operators "you will give your root server to
IIT". You and others that care about this are free to make
the case to (say) Verisign that it would be in their
corporate best interests for them to relocate administrative
control of one of their root servers to India, but it would
be up to Verisign (or perhaps more accurately, its
shareholders) to make that decision.</div>
<br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000">Is the real problem
here that if root server allocation issue is opened up,
countries would like to go country-wise on root servers
(as the recent China's proposal for 'Autonomous Internet')
which will skew the present non-nation wise Internet
topology (other than its US centricity), which is an
important feature of the Internet.<br>
</div>
</blockquote>
</div>
<br>
</div>
<div>No. Placement of root servers has no impact on Internet
topology. Really. Distributing root server instances can be
helpful in reducing root query latency and improving resiliency
in the event of network disruption. That's pretty much it.
Opening up the "root server allocation issue" is a red herring,
particularly given pretty much anyone can get a root server
instance if they care and are willing to abide by the
restrictions inherent in operating a root server. </div>
<div><br>
</div>
<div>Merging a subsequent note:</div>
<div><br>
</div>
<div>
<div class="moz-cite-prefix">On Sunday 05 August 2012 06:10 PM,
parminder wrote:</div>
</div>
<div>
<blockquote type="cite"><span style="background-color: rgb(255,
255, 255); ">' administrative access will not be available'
to the anycast operator to his own anycast server. </span></blockquote>
<div><br>
</div>
<div>Yes. However, if you ask anyone familiar with computer
systems, you will be told that if you have physical access to
a machine, you can gain control of that machine. Obtaining
such control would violate the terms by which the machine was
granted, but that's irrelevant.</div>
<br>
<blockquote type="cite"><span style="background-color: rgb(255,
255, 255); ">This is a pretty centralised control, </span><span
style="background-color: rgb(255, 255, 255); ">not at all
the picture one got from all the technically well informed
insiders who seem to suggest on this list that everything is
open, uncontrolled and hunky-dory and kind of anyone can set
up and operate root servers.</span></blockquote>
<div><br>
</div>
<div>I'm getting the impression that you read what you prefer to
read, not what is actually written. No one (to my knowledge)
has suggested "everything is open, uncontrolled and
hunky-dory". Root service is considered critical
infrastructure and is treated as such, so anyone asserting it
is "open and uncontrolled" would be confused at best. Can you
provide a reference to anyone making this suggestion?</div>
<div><br>
</div>
<div>As for "hunky-dory", I suppose some folks would say the way
the root servers are operated is "hunky-dory". I am not among
them.</div>
<div><br>
</div>
<blockquote type="cite"><span style="background-color: rgb(255,
255, 255); ">Was the African minister really so wrong, or
even the Indian minister? </span></blockquote>
<br>
</div>
<div>Yes. Really. </div>
<div><br>
</div>
<div>Regards,</div>
<div>-drc</div>
<div><br>
</div>
</blockquote>
<br>
</body>
</html>