<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
David<br>
<br>
I agree with all your statements of fact below, though not
necessarily with what you yourself describe as - or will agree are -
opinions.<br>
<br>
In my view, the operative part in your email below is<br>
<br>
"My guess is that if the US government were to run amok and modify
the root zone outside of existing policy/process, most of the root
server operators (including the US ones not directly affiliated with
the US government) would choose (e) as a first step, followed (as
quickly as possible) by (d). The ones outside the US would probably
do (c), followed quickly by (d). "<br>
<br>
And I will repeat your (c), (d) and (e)<br>
<br>
<div>"c) refuse to serve the new zone and maintain the last known
good zone, at least as long as the DNSSEC signature is valid"</div>
<div>"d) obtain a different root zone (signed under a new key) from
a new maintenance/signing body"</div>
<div>"e) turn off their root server"<br>
<br>
Leaving the intermediary steps (c) or (e), you agree that in case
US makes any root changes outside the ICANN process ( motivated
by, say, the US executive's needs or a court order) a new root
maintenance/ signing body will immediately be needed. That is
pretty big, youd agree. <br>
<br>
However, at the opinion level, you simply discount the possibility
of such an action emanating from the US gov/ courts bec you think
that it contravenes US's existing policies and record. <br>
<br>
You responded to McTim's question about a possible Indian
government's interference with a (now) possible India located root
server not just by a political 'opinion' that India is unlikely to
do such an act which violates global Internet's integrity and
would be against its formal or informal global commitments. You
actually developed a scenario of how such an act by the Indian
government would simply be of little practical value, and
therefore implying that (1) India would probably not do it, and
(2) even if India did it, the global Internet will be largely
safe. Fair enough.<br>
<br>
Perhaps you might realise that Indian record of entering into and
fulfilling international obligations is by far much better than of
the US. In fact, the US has kind of, perhaps, the worst global
record for unilateral actions in defiance of global norms when it
suits its own interests. If you disagree, we can discuss this
point further. (BTW, I am sure you have heard of drone attacks on
Pakistan territory, often guided simply by the location data of a
targetted mobile phone!) <br>
<br>
Therefore, as McTim and apparently you seek/ build forward-looking
scenarios to ensure the safety of the global Internet in the
imaginary case of India getting one among many of the root servers
and then one day deciding to do something funny and out of order,
why should we, as a global community, not think of such forward
looking scenarios with the US sitting over the single
authoritative root file. <br>
<br>
And as we think of such a scenario and see that if US executive or
courts ever order one root change outside the ICANN process we
will immediately need a new root zone maintenance/ signing body
(obviously out of the reach of US's jurisdiction), I dont see why
we should not already be seeking such a body (subject to
international instead of Us law). I as a non US citizen certainly
do not see any reason. In fact we now already have a US court
decision to sieze .ir from the root file.<br>
<br>
Where else do we wait for a complete disaster to actually take
place before we start to make arrangements to safeguard ourselves
from disasters? This one is imminent. If it is not this court
order, it will certainly come sooner than later with regard to the
hundreds of new gtlds that are being instituted. I often use the
example of a generic drugs company doing global trade in generic
drugs whose gtld is sought to be seized by big pharma through US
court action. In fact, the application of US jurisdiction already
could be having the 'chilling effect' of dissuading some global
business from seeking and using gtlds in any major way because it
makes a very big component of their business subject to US law,
which they may or may not want to happen. <br>
<br>
Are these not major problems of global governance. IANA transition
issue is supposed to be basically about these huge current and
impending problems. We need global discussions about them and
their possible resolution.... The fact that we have a complete
sham being carried out right now in the name of IANA transition is
something at least civil society should sit up and reflect
about... <br>
<br>
parminder <br>
</div>
<br>
<div class="moz-cite-prefix">On Sunday 27 July 2014 09:51 AM, David
Conrad wrote:<br>
</div>
<blockquote
cite="mid:63E8FB10-2991-4013-9C6F-8BA747610828@virtualized.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Parminder,
<div><br>
</div>
<div>On Jul 26, 2014, at 9:19 AM, parminder <<a
moz-do-not-send="true" href="mailto:parminder@itforchange.net">parminder@itforchange.net</a>>
wrote:</div>
<div>
<div>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000"><font face="Verdana">Your
whole argument below depends on making a clean
distinction between scenario 1: all root servers acting
as one - the root server community, and scenario 2; one
root server operator takes a defiant stand. </font></div>
</blockquote>
<div><br>
</div>
<div>McTim asked 'The question in my mind is "would those
governments be willing the serve the root without
censorship?"'</div>
<div><br>
</div>
<div>I generally do not consider imposing censorship taking "a
defiant stand", but I gather you have a different view.</div>
<div><br>
</div>
</div>
<div>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000"><span
style="font-family: Verdana;">We know that it is only
the US gov that can today make a 'problematic' change in
the root.</span></div>
</blockquote>
<div><br>
</div>
<div>For such a "problematic" change to be made, the US
government would have to contravene pretty much every
Internet and telecommunications policy they have instituted
and promoted since (at least) 1996 or so. Could the US
government do so? In theory, yes. In theory, the host
country of the entity making changes to the root zone could
do a lot of things. However, since the Internet has been in
operation, the US government has not made "problematic"
changes in the root despite being at war, imposing sanction,
having had embassies overrun, not having diplomatic
relations, changing from Democratic to Republican and vice
versa a number of times, etc., etc. I remain skeptical that
the US government would see it in their best interests to
make one of these "problematic" changes. However for the
sake of argument...</div>
</div>
<div><br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000"><font face="Verdana">It
should be obvious that when US gov does it, the root
servers owned by the US gov will follow suit. </font><span
style="font-family: Verdana;">Next, it is extremely
unlikely that any such 'problematic change' will be made
without some kind of legal backing, whether of the
foreign assets regulation kind or one about alleged
intellectual property violation. </span></div>
</blockquote>
<div><br>
</div>
Presumably you mean "_with_ some kind of legal backing".
Again, for the sake of argument, I'll just ignore the
likelihood of lawsuits, appeals, temporary restraining orders,
etc.</div>
<div><br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000"><span
style="font-family: Verdana;">In either case, or other
possible similar ones, all US based root serves (10 out
of the total of 13) will have to comply and follow the
changes made by the US gov in the authoritative file. </span><span
style="font-family: Verdana;">That leaves the 3 non US
root server operators... With the DNNSEC in operation
(and I have always contended, even otherwise) they do
not have much of an option.</span></div>
</blockquote>
<div><br>
</div>
Of course they have options -- they provide root service
voluntarily after all. I believe an exhaustive list of those
options would be:</div>
<div><br>
</div>
<div>a) serve the new zone unmodified</div>
<div>b) modify the zone and serve it</div>
<div>c) refuse to serve the new zone and maintain the last known
good zone, at least as long as the DNSSEC signature is valid</div>
<div>d) obtain a different root zone (signed under a new key)
from a new maintenance/signing body</div>
<div>
<div>e) turn off their root server</div>
<div><br>
</div>
<div>Of those option (and assuming for simplicity the Evil US
government has removed a top-level domain as one example of
their evilness):</div>
<div><br>
</div>
<div>- If (a) is chosen, and validating resolver operators do
nothing, the Evil US government wins.</div>
<div><br>
</div>
<div>- If (b) is chosen, validating resolvers will ignore the
responses. Resolvers that do not validate would serve back
the responses to end users, but this would likely result in
end user confusion as sometimes names would resolve and
sometimes they wouldn't (depending on which root server the
resolver happens to query).</div>
<div><br>
</div>
<div>- If (c) is chosen, validating resolvers will continue to
work and their operators would have a couple of weeks to
figure out what they wanted to do. However, as with option
(b) there would likely be end user confusion as depending on
what root server the resolver queries, the same name may or
may not resolve.</div>
<div><br>
</div>
<div>- If (d) is chosen, validating resolver operators would
need to update their trust anchors to point to the new
signing authority and only list the root servers serving the
zone under the new key. Since presumably all the root
servers listed would have a consistent root zone, there
would be no end user confusion.</div>
<div><br>
</div>
<div>- if (e) is chosen, load would shift to the remaining
root servers, potentially resulting in resolution failures
as the other root servers began to get overloaded (unless
action were taken to expand the capacity of the remaining
servers, of course).</div>
<div><br>
</div>
<div>My guess is that if the US government were to run amok
and modify the root zone outside of existing policy/process,
most of the root server operators (including the US ones not
directly affiliated with the US government) would choose (e)
as a first step, followed (as quickly as possible) by (d).
The ones outside the US would probably do (c), followed
quickly by (d). </div>
<div><br>
</div>
<div>However, you'll note from the above that the important
players aren't really the root server operators. Root
servers are, after all, merely a distribution channel. I
personally believe their operators would, in the face of
out-of-policy changes, choose not to play, but that's just
my opinion. What isn't an opinion: the folks who really
matter in these scenarios are the resolver operators. It is
the resolver operators that control the list of root servers
to query and the DNSSEC key to trust (and whether or not
they even bother with DNSSEC). And many of the larger
resolver operators already mirror the root zone themselves
so they don't actually even query the root servers. Since
they fetch the root zone themselves, it is easy for them to
fetch it (and its trust anchor if they're doing DNSSEC) from
a different place than they do now.</div>
<div><br>
</div>
<div>So, in the scenarios you posit, the end result would be
to force migration away from the current system (the one the
US has been arguing for for almost 2 decades) and at the
same time, creating a vast amount of instability and
potential for end user confusion. I remain highly skeptical
that _anyone_ in the US government would see this in their
best interests. Ever. So perhaps we'll just have to agree to
disagree.</div>
<div><br>
</div>
</div>
<div>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000"><font face="Verdana">Considering
that many if not most of these new root servers may go
to developing countries, in the same way that there are
strong developed country alliances, it is very likely
that an operator in India will have agreement with
another in Ghana and a third one in Argentina to stick
out against any effort by the US to unilaterally enforce
its law and/ or standards on the world.<br>
</font></div>
</blockquote>
<div><br>
</div>
<div>Just in case it isn't obvious, DNS resolvers do not
understand geo-political boundaries. Most resolvers pick the
root server that responds the quickest, which is typically
the server that is network topologically, not necessarily
geographically or geo-politically (even within a country),
closest (some resolvers always pick root servers at random,
but these are increasingly rare). However, again for the
sake of argument, ignoring that...</div>
<div><br>
</div>
<div>The options I list above would apply to the root server
operators in India, Ghana, Argentina, etc. as well. What
agreements the root server operators have among themselves
isn't particularly relevant. What matters is who the
resolver operators trust. Unless the root server operators
in India, Ghana, Argentina, et al., also got into the
business of generating and signing a root zone that they
would then serve along with distributing the trust anchor
for that root zone (and get resolver operators to configure
that trust anchor), it isn't clear to me the point of such
an agreement (well, other than political grandstanding).</div>
<div><br>
</div>
<div>Regards,</div>
<div>-drc</div>
<div><br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>