[governance] "Oversight"

David Conrad drc at virtualized.org
Tue Jun 12 14:24:14 EDT 2012


Parminder,

On Jun 12, 2012, at 7:53 AM, parminder wrote:
> In any condition that US law and executive power considers special - whether IP enforcement or security/ warfare related, all US based root servers will be obliged to fall in line. 

I'll admit some difficulty understanding the actions you argue the USG would be forcing root servers to comply with.  Could you provide a concrete example of what you're concerned about?

> Although David says DNSSEC does not change this situation at all, from his own description of the processes involved, I see that DNSSEC implementation greatly increases the various costs of non publishing of the authoritative root file as communicated from Verisign's server. 

I'm sorry I'm not explaining things clearly enough.  Let me try it this way, completely ignoring the role the root server operators may (or may not) play since you find that unconvincing:

Assume the USG forces Verisign to remove .IN from the root zone. A query for <anything>.IN will then result in a "name error" response being returned to the querying resolver (typically operated by ISPs).  With DNSSEC, some cryptographic data is also returned that allows the resolver to prove (in the mathematical sense) that the holder of the root zone signing key (Verisign) agrees that the "name error" should be returned.  Without DNSSEC, you still get the "name error", the resolver just can't prove that's what the holder of the zone signing key intended.

So, we now have a root zone(provably, if you bother to verify the DNSSEC data) without .IN in it.  Let's say you run an ISP anywhere in the world.  Now, _all_ of your customers that attempt to connect to any website in the .IN domain will get "name does not exist" in their web browsers, email programs, bittorrent clients, etc.  Your customers are probably not going to assume it is because the USG removed the .IN domain, rather they're more likely going to assume you screwed up somehow and call you to scream at you. After a sufficient number of calls (which, depending on the scale of your ISP, will probably be from minutes to hours), you'll most likely fix the problem for your users by getting a copy of the root zone, reinserting the .IN data into that copy, and putting that root zone on your resolvers.

Since you have fixed the problem in your resolvers, the fact that the root zone is DNSSEC-signed is completely irrelevant. DNSSEC only protects the resolver's cache from getting crap data inserted into it.  Your customers, by using your resolvers, trust you to return accurate data.  The _vast_ majority of those users will never see DNSSEC-related information since the resolver strips that information out when responding to client (e.g., web browser) requests.  For those users that actually know enough to request DNSSEC information, they will undoubtedly know enough to solve the problem the same way you did.

So, the end result of the action taken by the USG is to completely remove the USG from any role in administering the root zone while at the same time generating vast amounts of (both domestic and international) outrage and destabilizing the Internet.  The USG would want to do this because?

> Do you still think other countries can trust the US with oversight control over such a vital infrastructure as the Internet?

The part that I believe you're missing is that there actually is no control, oversight or otherwise.  Because of the decentralized nature of Internet operations, the Internet only works because everyone (primarily ISPs) agrees that it should work (what Mitch Kapor termed "The Tinkerbelle Effect" at a meeting back in the early 90s). In my view, the role ICANN plays (or, perhaps more accurately, was intended to play) is to allow people to get together to agree on how a part of the Internet should work and my impression is that the USG merely tries to ensure ICANN follows its own policies and procedures to do this. Your assertions that the USG is going to go rogue and force bad things to be done to the root of the DNS ignores the fact that those bad things only have effect if everyone (primarily ISPs) all around the world agree that those bad things should occur.  I am a bit skeptical this would occur.

Regards,
-drc


-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t


More information about the Governance mailing list