[governance] USG on ICANN - no movement here

Karl Auerbach karl at cavebear.com
Sun Aug 10 14:09:00 EDT 2008 

Avri Doria wrote:

>> There is no reason whatsoever that the internet can not have multiple, 
>> consistent root systems, each offering up its own perception of the 
>> proper set of top level domains (disputes over conflicts of names of 
>> TLDs would be handled by exactly the same international mechanisms 
>> used today to deal with global brand names, and besides, if you or 
>> your ISP don't like what one root zone offers you can simply use one 
>> you like better.)
...
> assuming it is not just mental block that prevents anyone from doing 
> this, how come it hasn't happened?

It has happened - there have been competing root systems for years.  And 
many people use a variation of the idea without knowing it by virtue of 
ISP's intercepting DNS queries and vectoring them to their own servers.

The problem why competing roots have not grown to be visible (or 
financially viable) is based on a number of factors:

1. Most of 'em are run by people who seem to want to play games rather 
than run a solid operation.  As an experiment I used one of these, even 
though it was not solidly run, for several years for myself and my 
company.  There were zero problems (except for the .biz conflict, but 
that was caused by ICANN intentionally disregarding a pre-existing and 
operating TLD of that name) until one of the folks running one of the 
servers decided to operate outside the limits of the domain name RFCs.

2. The technical system composed of NTIA/ICANN/Versisign building a root 
zone file and the legacy root operators publishing that zone is run with 
intense professionalism and extremely high quality.  It is a class-act 
(I hope that's not too much of an American idiom).

But there are quality operations - http://european.ch.orsn.net/

And there was once a very cool bit of web-based software called "grass 
roots".  What it was was a website that listed all of the various TLDs 
that people have, such as my own .ewe.  As a user you went through and 
selected which TLDs you wanted in your constellation and, if any were in 
dispute, which particular choice among the disputants.  The website 
generated a zone file that one could use to load bind and, voila, one 
could run without recourse to any root system at all - all of the root 
information was in your own servers.  The website remembered your 
choices so, if a TLD updated its list of servers or otherwise changed, 
you could easily generate a new zone file.

When I talk about competing roots, I mention "consistency".  Consistency 
is *very* important.  People as users and people as publishers of 
network resources would not like being surprised and discovering that 
the names they use and utter don't work right.

Some people define "consistency" as precise equivalence of TLDs in root 
zone.  (ORSN does this although they reserve the right to retain a TLD, 
such as for example, .su, should ICANN remove it from their own root zone.)

I tend to define "consistency" more broadly.  In my definition, two root 
zones are consistent if for each TLD they contain the delegation 
information is equivalent.  Thus every TLD they contain in common is 
backed by the same TLD servers and thus identical data.

My definition allows each operator of a system of root servers to offer 
their own blend of TLDs in the root zone file they publish.  This is a 
key point.

Because by allowing each root operator to choice the inventory of TLDs 
being offered we create a path for new aspiring TLDs to try to gain a 
place in the sun.

Some aspiring TLDs will find that they can not convince any root 
operator to include their "product"; those TLDs will die.

Some aspiring TLDs will convince some root operators to include their 
product.  Those TLDs will, for as long as they are in only a few roots, 
be boutique TLDs.  But being a boutique TLD is not to say that it is a 
useless TLD.  Various groups, religious, educational, or whatever, may 
find it useful to set up their own TLD and all the members use whatever 
root publishes their TLD.

Some aspiring TLDs may grow to such demand that root operators will 
chose to incorporate them as a mater of course - we can anticipate that 
the NTIA/ICANN/Verisign suite of about 250 TLDs will be in this category.

Some aspiring TLDs will not wait to be chosen but will pay root 
operators to include their product into those operator's list of TLDs.

(One a TLD has become one of the must-have ones it is conceivable that 
the situation could turn around and that the root operator must pay the 
TLD for the right to publish that TLD.)

Getting to disputes over names: These will certainly arise.

TLDs with the same name are tainted goods, no rational root system 
operator would want these in its inventory - such TLDs are going to 
cause user confusion and raise trouble for the root operator. 
Consequently, those TLDs that are in dispute are going to have trouble 
finding a place to exist and will thus have an incentive to resolve the 
dispute.

And as for forums to resolve disputes: The worldwide system that 
resolves disputes over product names, trade and service marks, is quite 
usable to resolve disputes between those who are trying to run different 
TLDs under the same name.  Yes it is a system that is full of lawyers 
and other denizens of the darkness, but it is a system that works and is 
no less fair than ICANN's UDRP and certainly has the very important 
characteristic of being already in operation and pretty much universally 
accepted.  In other words we don't need to create an overlord of names 
to resolve disputes over TLD names: we already have a distributed system 
that stands ready and able to do the task.

So, as you can see, if we had competing, consistent roots those who want 
to try their hand and risk their money on building a new TLD can do so. 
  They will, like anyone marking a new product, have to fight to "build 
their brand" by getting shelf-space in the inventory offered by root 
operators.  But that's simply the normal facts of life for normal kinds 
of products.

And some of those TLD products will be shoddy or badly run.  And here we 
get to the question whether ICANN is a consumer protection agency?  Is 
it (and if so, it is rather odd in the way it ejects those consumers it 
purports to protect from its forums of decision-making.)

If we can presume that domain name buyers have enough brains to pick and 
chose among TLD offerings then our level of governance is merely to 
require that TLD providers publish enough information for buyers to make 
rational choices, in other words TLDs should be required to publish 
something akin to the kind of all-revealing prospectus that we here in 
the US get for offerings of financial securities.  And that there be 
long-enough contracts for those buyers to lock-in those promises.

Sure, some TLDs will collapse leaving owners of names in those TLDs with 
useless names.  Again, do we want to create a worldwide body of consumer 
protection (an uber-ICANN) or do we want to way, as we say with airline 
tickets, if you buy from a shaky airline and it collapses leaving you 
with worthless tickets, well, too bad for you?

People who want to build rock-solid names will tend to remain in .com, 
.org, and .net.  Some new TLDs will aspire to build a reputation good 
enough to attract those customers.

But some new TLDs may specialize in short-term registrations: A name for 
a month to handle a one-time town meeting for example.  A collapse of 
that kind of TLD will not be a catastrophe.


> - lack of political will?  why do all those frustrated governments 
> keeping waiting for USG/ICANN blessing?

Government people, like most people, crave the known and fear the 
unknown.  Given the quality of the operation run by the legacy root 
server folks - people who deserve internet angelic status - there is 
little incentive from the point of view of governments to change.  ICANN 
gives ccTLDs a lot of leeway.  Governments have their ccTLDs, they are 
sated.

> - people do not believe it is technically possible?  i.e. it is easy to 
> say if can be done technically, but has anyone really laid out a plan 
> and showed how it can work - running code and all of that?

I ran my own machines and those of my company using various other root 
systems, including one of those "grass roots" setups for several years 
while actively looking for problems.  There were none (until one 
operator decided that he could violate the RFCs by putting character 
string IP addresses rather than host names into NS records.)

Having competing roots offers a significant increment in internet safety 
- it removes a single point of failure (the single root) and allows 
users (or more likely their ISPs) to chose the root that works best and, 
if that goes awry, to change to another.

The bigger question is where does the money come from to lubricate this 
system so that it can run?

Turns out that there is a lot of data mining gold in DNS query streams. 
  (People do not realize that ICANN's contracts specifically allow TLD 
operators to data mine the query traffic.  And one can make a guess that 
various governmental agencies in some countries are rather interested 
in, and willing to pay for, "intelligence" data or "law enforcement" 
information that they can derive from the queries.)

As I have been reminded by John L., because of caching a lot more 
interesting data can be gleaned from TLD server than from a root server. 
  However, there still remains a lot of value that can be gained by 
sitting at a root and watching the queries (remember, name queries 
received by roots tend to contain the entire domain name being resolved).

Sure, the idea that our queries are being monetized is scary, but it is 
already permissible under ICANN's contracts.


> another question i have, would this be yet another mechanism that would 
> allow for restriction of freedom of expression and  freedom of 
> communication?    would ISPs become the new arbiter of who we would have 
> access to?  i.e my provider could restricted me to the family friendly DNS?

Yes, an ISP that wants to offer a shrunken DNS could do so; but I would 
suggest that an ISP that wants to do this already can find plenty of 
tools to do this even in a single-root world.

I would submit that having competing, consistent roots, gives users more 
opportunities to bypass such restrictive ISPs and removes the more 
fearful worry of a worldwide central authority from imposing its moral 
or cultural views on *all* DNS everywhere - we already saw this kind of 
thing in a small way with .xxx in which a small fundamentalist religious 
group in the US manipulated the US executive dept to tickle the Dept of 
Commerce to stomp out .xxx no matter whether the community said it was 
good or not.

> or would it be possible for users to pick any DNS tree, or mixture of 
> DNS trees, they wished?

I'm not suggesting changing the DNS protocols, so mixing of trees would 
not be possible.

> could this model bring us a new form of provider, the global DNS 
> provider, who gave use unfettered access to all possible roots?

That itself would be a new root that simply aggregated every TLD that it 
saw, modulo those in dispute.


> it is an interesting idea that you and others have been talking about 
> for yeas, yet i never see more discussion of it then a idea presented 
> and then ignored.  why is that?  i know you have your own ideas on TLDs 
> and even have your own .ewe (love the name) .  why has it not flown yet 
> and why is it not breaking this ground open - especially if it is such a 
> fertile field and an obvious solution?

I really have not had time to get the registration system of .ewe in 
place; I'm working too hard on network testing and troubleshooting 
tools.  People can see the skeleton of the idea at: 
http://www.cavebear.com/eweregistry/

> - does the whole idea just need a good business plan?

Yes, but it also needs ICANN to refrain from things like ICP-3.  That 
kind of thing can be construed as interference, potentially unlawful 
interference, with the business plans of those who aspire to build TLDs 
and roots outside of the ICANN system.  What ICANN does via ICP-3 is a 
lot like Microsoft and Apple publishing an official joint statement that 
declares Linux to be a danger to all computer users and something that 
must not be permitted.

> or do you really believe it just needs a paradigm shift.?

Well, this new set of DNS attacks are certainly revealing some deep 
cracks in the architecture of DNS.

And I don't really know how the very slow deployment of DNSSEC affects this.

		--karl--
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.cpsr.org
To be removed from the list, send any message to:
     governance-unsubscribe at lists.cpsr.org

For all list information and functions, see:
     http://lists.cpsr.org/lists/info/governance

More information about the Governance mailing list