<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<font face="Verdana">David <br>
<br>
Thanks for your response.<br>
<br>
Your whole argument below depends on making a clean distinction
between scenario 1: all root servers acting as one - the root
server community, and scenario 2; one root server operator takes
a defiant stand. But neither does this clean distinction hold in
reality, nor is it valid vis a vis our earlier discussion, which
clearly brought up the scenario where some root server operators</font><font
face="Verdana"> (US gov controlled ones, and next, US located
ones)</font><font face="Verdana"> will - or will *have to* - act
one way, and the other root operators then having to look at
their options - to follow suit, or split the root. <br>
<br>
In terms of the existing situation, which was the subject of our
earlier discussions: <br>
<br>
We know that it is only the US gov that can today make a
'problematic' change in the root. It should be obvious that when
US gov does it, the root servers owned by the US gov will follow
suit. Next, it is extremely unlikely that any such 'problematic
change' will be made without some kind of legal backing, whether
of the foreign assets regulation kind or one about alleged
intellectual property violation. In either case, or other possible
similar ones, all US based root serves (10 out of the total of 13)
will have to comply and follow the changes made by the US gov in
the authoritative file. That leaves the 3 non US root server
operators... With the DNNSEC in operation (and I have always
contended, even otherwise) they do not have much of an option.<br>
<br>
Now, in terms of a possible extension of the number of root
servers (to 20 or more), which possibility triggered this
discussion: <br>
<br>
Considering that many if not most of these new root servers may go
to developing countries, in the same way that there are strong
developed country alliances, it is very likely that an operator in
India will have agreement with another in Ghana and a third one
in Argentina to stick out against any effort by the US to
unilaterally enforce its law and/ or standards on the world.<br>
<br>
Therefore, in either case, a neat distinction - between all root
file operators acting as one, on one hand, and just one trying to
go its own way, on the other - does not obtains, and is not valid.
And it is such an imagined neat distinction that is the sole basis
of your argument.<br>
<br>
parminder </font><br>
<br>
<div class="moz-cite-prefix">On Friday 25 July 2014 07:40 PM, David
Conrad wrote:<br>
</div>
<blockquote
cite="mid:100B3D2C-D70F-4FF4-988F-78DBFBA849BE@virtualized.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Parminder,
<div><br>
</div>
<div>There is no change in my position.</div>
<div><br>
</div>
<div>Presumably, you can see the difference between these two
cases:</div>
<div><br>
</div>
<div>1) the root server operator community refusing to accept an
out-of-policy change coming from a compromised root zone
generation process; and</div>
<div>2) a single root server operator unilaterally choosing to
modify the contents of a valid zone.</div>
<div><br>
</div>
<div>In case #1, the root server operators can maintain the zone
contents that existed prior to the out-of-policy change and the
Internet's DNS will continue to work at least until the DNSSEC
signature expires. This period of time would be sufficient for a
separate signing and distribution infrastructure to be
established and for the world's resolver operators to either
abandon DNSSEC or for an emergency key roll to be performed.</div>
<div><br>
</div>
<div>In case #2, I believe it is quite unlikely a separate signing
and distribution infrastructure would be established and even
more unlikely all the world's resolver operators would be
willing to do the emergency key roll to the new key,
particularly since it would mean there would be a single root
server. As a result, the single root server's responses would
not validate.</div>
<div><br>
</div>
<div>In case #1, there would be tremendous disruption to the
stability of the Internet's DNS. I believe the risk/cost of that
disruption is (far) more than sufficient to deter any attempt to
impose out-of-policy changes, particularly as it would be a "one
way function": it would be impossible to reestablish any trust
in previous system and all US government policy objectives
related to the Internet would instantly be made moot. Since any
attempt to modify the root out of policy would likely result in
lawsuits, temporary restraining orders, etc., I believe there
would be a vast amount of advance notice in which a separate
signing/distribution infrastructure could be built should the US
government go completely insane. </div>
<div><br>
</div>
<div>In case #2, the individual root server operator would simply
be made largely irrelevant ("largely" because some resolvers
would continue to probe the broken root server to see if it had
been fixed, but none of the answers would validate so validating
resolvers would simply drop those answers on the floor). I
doubt the operator of that root server would see this as being
in any way advantageous.</div>
<div><br>
</div>
<div>Hope this helps.</div>
<div><br>
</div>
<div>Regards,</div>
<div>-drc</div>
<div><br>
<div>
<div>On Jul 25, 2014, at 3:15 AM, parminder <<a
moz-do-not-send="true"
href="mailto:parminder@itforchange.net">parminder@itforchange.net</a>>
wrote:</div>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000"><font face="Verdana">Over
the years we - you and I - have had long discussions on
this list about whether and what kind of control the US
exercised on the root of the Internet. After a long
argument from either side - certainly very informative
to me - it will finally come to speculating on what
would the non US (or even the US based but not US gov
controlled) root servers do if US were to make a root
change not authorised by a proper global gov body,
basically ICANN at present. You would always insist that
in your opinion these other root server operators will
simply not follow suit - and not follow the 'wrongful'
root change. I would argue that I very much expect them
to fall in line - for legal reasons (in case of US based
servers) and geo-political reasons (in case of non US
ones, all being in US allied countries) . But since this
counterfactual scenario could not be proven either way,
that would end our discussion.<br>
<br>
What I see as interesting is your statement below now is
that you *do not* see how other root server operators
*may not* follow the changes in the authoritative root
server (under US gov control). That is, you are saying
they will *have to* follow the changes made in
authoritative root file. But this is exactly the
opposite of the argument that you always used to
deadlock our conversations about the problem of US
control over the authoritative root server. Will request
you to share the reason for the change in your position,
as I understood it? (I must mention here that our
referred discussions took place after DNSSEC had been
put into place, and I did quote the relevance of DNSSEC
being used although I did say that I did not fully
understand how it worked and used to seek your help to
know more about it.)<br>
<br>
parminder<br>
<br>
<br>
</font>
<div class="moz-cite-prefix">On Thursday 24 July 2014
06:30 PM, David Conrad wrote:<br>
</div>
<blockquote
cite="mid:EA1D968B-36EA-49B6-8C37-53BAACEAE5E2@virtualized.org"
type="cite">
<pre wrap="">McTim,
On Jul 24, 2014, at 7:43 AM, McTim <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:dogwallah@gmail.com"><dogwallah@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">The question in my mind is "would those governments be willing to
serve the root without censorship?"
</pre>
</blockquote>
<pre wrap="">Given DNSSEC, that isn't really an issue.
The more interesting questions are "who picks?", "how do they pick?", "under what terms and conditions will service be provided?", and "how are those terms and conditions enforced?".
</pre>
<blockquote type="cite">
<pre wrap="">So India for example might be willing to pay, but would they be keen
to serve a root with .tata or .hindu in it?
</pre>
</blockquote>
<pre wrap="">If they modified the root zone, it would not validate. In most resolvers, this would mean that root server address would get deprioritized in the list of root servers that get queried. It would essentially be as if they didn't run the root server.
Regards,
-drc
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>