[governance] "Oversight"

David Conrad drc at virtualized.org
Wed Jun 6 14:05:17 EDT 2012 

Parminder,

On Jun 6, 2012, at 2:00 AM, parminder wrote:
> So the point is, US gov can do it. Doesnt matter if ICANN alone can do it or not.

The initial statement that caused me to comment was that ICANN could do it.  I was trying to point out that ICANN can't.  Given the root zone is generated by Verisign, a US-based company, it is clear that the USG can order an inappropriately modified root zone to be created and signed.  However as I tried to explain, that doesn't mean the zone will be used.

>> The only thing DNSSEC-signing the root zone does is ensure that an attempt by someone who doesn't hold the root zone's private key to modify a response from a root server can be detected.
> 
> This seems to suggest that modifications to query responses made by someone who *does* hold the root zone's private key (ie root zone manager, which is under contract of US gov, and therefore means the US gov) will not be detected. That is the problem.

As the data in the root zone is (and must be) public and is (relatively) small and mostly static, numerous folks on the Internet monitor its contents (one such is https://www.dns-oarc.net/oarc/data/zfr/root).  An inappropriate change to the root zone would be detected, regardless of whether the root zone is signed. What DNSSEC provides is a mechanism that allows for unsigned changes (e.g., "Bank of America is now using an IP address owned by the Russian Business Network") made by a "man in the middle" between the root servers and the servers typically operated by ISPs that translate names to addresses (etc) to be detected and automatically discarded.  DNSSEC's primary reason for existence is to protect against bad people inserting bad data into ISP's caches.  It isn't a mechanism that has any significant impact on Internet governance.

> And what I read from your email is that due to DNSSEC operation, now US gov can not only remove an entire cctld or gtld, but can modify root zone responses to specific websites level queries, which is more or less removing them (as we will discuss later) . Is it not so? I was afraid, but unsure, that something like this may now have been made possible.

By virtue of the fact that the root zone manager is (and always has been) operated in the US, the US Government has _always_ had that capability. DNSSEC has no impact, positive or negative, on that ability.  DNSSEC is a red herring in this context.

>>  Responses from the root servers are (almost always) referrals to top-level domain name servers (that is, the root servers when asked 'what's the address for "foo.example.com"' respond with "don't know, but ask the name servers for .COM and here is a list of those name servers").  
> 
> You say 'almost always' which leaves the possibility - with an actor with the relevant intention, and the power of the US gov - that such a referral - 'what's the address for "foo.example.com"' - may not be directed to the concerned tld name server. It may simply be terminated in say, a notice by US custom's authority or US State Dept. Am I right.

Not really.  To clarify the "almost always" was in reference to the fact that the root servers host zones other than the root zone (e.g., the root-servers.net zone).

While it is true the USG could force Verisign to insert "War and Peace" into the root zone, it is wildly unlikely that the resolvers (the servers primarily operated by ISPs that do lookups on behalf of end users) of the world would act in a way that would have any positive impact.  Ignoring the guaranteed freak out resulting from the insertion of non-referral information into the root zone, as a result of the Verisign "Sitefinder" incident, some resolvers have implemented mechanisms to ignore non-referral responses. Further, as mentioned, if the USG were to force this situation, it is extremely unlikely all of the root servers would accept the zone, or (I suspect) in at least one case, even be permitted to accept the zone.

>> An implication of this is that if the existing processes were somehow subverted and the Root Zone Manager (Verisign, _not_ ICANN) were able to insert something inappropriate into the root zone,
> yes, that possible eventuality  is 'the' problem with unilateral oversight, it is not a mere side issue.....

The point I've been trying to make is that in the context of root zone management, there is no "unilateral". The root zone operates by the cooperative activities of the TLD administrators, the USG, ICANN (as IANA functions operator), Verisign (as root zone manager), the root server operators, and the operators of resolvers. This operation is overseen by _anyone who cares_.  You can, if you like, download the root zone yourself, run whatever checks you would like on it, and use it, modified or not.  An unknown number of people already do this.  Any attempt by any single actor involved in root zone management to do something bad would result in a highly visible hue-and-cry and people moving to alternatives (if they care).

> It is here we differ, because in saying 'I suspect' you are expressing an opinion, which I am not at all able to agree with. I am quite sure that the three outside root server operators will go along, however unhappy they may be in doing so, because as you yourself put it, not going along with have catastrophic consequneces for the Internet.

Should the USG force Verisign to distribute a zone with inappropriate data, each root server operator would individually decide whether to accept that zone.  If they choose not to, the data already existent (without the inappropriate change) on the root server would continue to be served for a bit less than 604800 seconds (1 week).  This would allow for plenty of time for an alternative 'emergency' root zone management system to be stood up.

> I simply see no possibility of non US root server operators not accepting the upstream changes, whatever noises they may make while doing so.
> (And your claim that 'even many of those in the US' will refuse to comply in completely invalid because they will be subject to any US gov order with the necessary legal force). 

I suspect you're not familiar with the root server operators (:-)).  With the exception of Verisign, none of the root server operators are under any sort of legal obligation to do anything, much less provide root service for data they know to be bad.  Instead of serving bad data, I am certain that at least 3 and more likely at least 8 (all of the non-USG and Verisign) root servers would simply decide volunteering to provide that service is no longer in their best interests.  The USG would then be forced to acquire the IP addresses used to provide root service.  This will likely require non-trivial legal interactions, providing yet more time for an alternative to be established. 

Realistically, this simply is not going to happen.

> After reading your email I am even more convinced that US can hit not only complete cctlds ot tlds, but also individual websites, because of the DNSSEC structure, ...

Hmm.  It would seem your mind is made up and I gather nothing that I might say will convince you otherwise.  Unfortunate.

Regards,
-drc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20120606/bcda76c4/attachment.htm>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t

More information about the Governance mailing list