[governance] India's communications minister - root server misunderstanding (still...)

David Conrad drc at virtualized.org
Tue Aug 7 13:17:40 EDT 2012


On Aug 7, 2012, at 2:21 AM, parminder <parminder at itforchange.net> wrote:
> Ok, here I will need help with technical information again. Your main point is that "the Internet is composed of a multitude of privately operated autonomous networks and systems that agree amongst themselves on a set of parameters to ensure the networks interoperate.  There simply is no central authority."

Yes.

> However, we know that this is not fully true for everything about the Internet's architecture.

I wasn't speaking of the Internet architecture, I was speaking about Internet resource administration.

> There indeed is a single root, 

This is architecture.

> and single operative authority over it. And things do get changed in this apex system  which are mandatory and applicable to the whole Internet.


This is administration and the changes work because the multitude of privately operated autonomous networks and systems agree that the singly-rooted DNS namespace originates from 13 special (in the sense that they are hardwired into resolvers) IP addresses. If one of those operators decides they do not agree, they change those IP addresses in their systems or modify their view of the data served from those addresses (see China).  The "authority" does not reside in the center, but rather at the edges (most typically but not exclusively with network operators). 

> We did for instance have the Iraq' cctld re-delegated, apart from other more regular changes done all the time.

You are confused about the Iraq ccTLD re-delegation, but that's irrelevant.

> So, my technical question is, is it not that the root server authority to 12/13 operators gets allocated in some way from a central point, IANA,

> in a way that if needed, it can be reallocated, like a cctld can be reallocated by appropriate changes in the root zone file.  

Not really.

Making a global change for a ccTLD means updating a single data repository managed by a single entity (currently Verisign). Changing the IP address of a root server globally means updating _millions_ of separate data repositories all over the planet, some of which are in embedded systems that people don't normally touch and most are operated by different entities.  Changing root server addresses can and will occur (the last was when "L" was renumbered and "D" really needs to get renumbered for technical reasons) but the old address will continue to get queries for a very long time (I'm told the IP address of a root server that was involved in a renumbering back in the early 90s still gets tens to hundreds of queries per second). As such, it has to be done cooperatively.

> I read that private key etc issues are involved, but any such system is centrally managed, right. 

The management of the the private keys (I assume you mean the shared secret to fetch the root zone from the distribution master) isn't relevant since the root zone is published in other places than the distribution master.

> The original DNS message from the root may simply carry the 13 IP addresses of root servers that it wants to carry and not others,

The relevant component of the DNS here are the resolvers.  Pretty much every ISP on the planet runs one or more (they are what most of the ISP's customers query to resolve names) and there are resolvers built into everything from some applications (e.g., browsers) to embedded microcontrollers to infrastructural components like mobile network gateways.  Many technical folks run resolvers on their laptops and I know folks have ported resolvers to smartphones.  Within those resolvers are the same (more or less) 13 IP addresses either compiled into the binary or in a configuration file.  Changing a root server address means updating one of those 13 addresses in all of those resolvers all over the planet.

> I can understand that downstream systems will be looking for specific IP addressed they know as to be the root servers, but still, is the whole changeover simply impossible, even if transiting in phases, building redundancy etc.

As stated several times, no, it is not impossible as long as it is done cooperatively, which gets back to convincing one or more of the existing 12 root server operators that it would be in their best interests to give up their root server.  However, if there is cooperation, it is infinitely easier to simply transfer the root server IP address to the new entity than to deal with renumbering.

> If a political decision is takne at ICANN level (with its bottom up policy process and all) that this is the way we want it to be, I dont think most actors will simply refuse to comply, whereby still if one or two indeed do, the system should be able to work around it through the mentioned levers of control. 

Assume ICANN decides that the "K" root server operated by RIPE-NCC should be given to North Korea ("K" - Korea, get it? :-)), despite RIPE-NCC's objections.  My guess would be that RIPE-NCC would be unlikely to give up the IP address willingly.  Two options then: 1) "K" could be renumbered to a North Korean IP address; and 2) RIPE-NCC could be forced to give up the IP address it uses for "K". 

In option (1), ISPs and other resolver owners around the world would have to update their resolvers to reflect the new IP address.  I would imagine ISPs in the RIPE service region (in particular) would not be excited about this prospect and would likely resist such a change (to avoid your inevitable accusations of me applying "techno-political" spin, I'll note that for most (not all) resolvers, there is an initial query that asks 'what are the root server IP addresses' so the changed IP address will be propagated automatically unless people take special actions.  However in this scenario, I suspect it highly like people will take special actions).  In addition, resolver vendors around the world (ISC, NLNetLabs, PowerDNS, Microsoft, Nominum, Cisco, etc.) would have to put the new IP address in their distributions.  I suspect it likely at least some of those would balk at this demand -- after all, who is ICANN  (some small, private, US-based, California incorporated non-profit -- you might have heard ICANN referenced this way in the past) to demand such a thing? 

That leaves option (2).  I believe your argument is that the US government could apply pressure to the government of the Netherlands to force the appropriation of the RIPE-NCC IP address used for "K".  As I'm not knowledgable about international or Dutch law, I'll let others comment on this particular scenario but I suspect positive/timely results unlikely.

And in the end, rational folks will probably ask "Why are we doing this again? Everything seems to work fine now..." to which your response would be "Kim Jong Un must have the ability to modify the contents of the root zone file on one of the root servers if the US government goes rogue!"?

> And democraticising the distribution to root servers is one such legitimate demand.

I would ask you to please try to be more precise in your terminology. Anycast mirrors of root servers serve to democratize the distribution of root servers  and address legitimate _technical_ requirements. What you are demanding is the "democratization" of root server _ownership_ for purposes of control. As discussed, this is much trickier and I suspect will likely require appropriation of resources (now) considered corporate assets.  Whether or not this is legitimate is likely in the eye of the beholder.

>> It seems to me that one of the fundamental impedance mismatches that is occurring is the implicit assumption that there is an overarching entity to which these sorts of political demands can be made and which will act upon those demands.  From an Internet technologist's point of view, this assumption is false:
> 
> If indeed legitimate political demands cannot be made and realised in the global Internet space than there is a serious gap in our political ecology here.

This is getting far afield from my area of expertise, but from my perspective: welcome to a decentralized world.  It requires cooperation and consensus of a myriad stakeholders, not a reliance on central authority figure.  As I said, I know this doesn't fit with how governments want to view the Internet.

Note that I am not arguing this is good or bad (I have my opinions on this but they are irrelevant). I'm merely stating this is how things are.

> This is not a natural condition for societies to exist in a just and sustainable way.

Actually, another view is that it _is_ the natural condition (unless you are arguing countries have a single overarching authority figure they can rely on -- if so, I think I need only point to the UN's ability to affect events in Syria as a counterpoint), the only difference is that the players that need to cooperate and reach consensus are much more diverse than simply nation-states.

> So, if what you say is true, we should collectively take steps to fill this serious gap/ void...

So we can have an overarching authority figure that can force decisions on folks without consensus?

Regards,
-drc


-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t


More information about the Governance mailing list