[governance] "Oversight"

michael gurstein gurstein at gmail.com
Tue Jun 12 15:07:06 EDT 2012 

Without commenting on the technical issue being discussed in which I have no
competence it seems to me as an observer here that the debate seems to be
between those who are saying let's leave well enough alone and trust us (the
USG) not to do anything foolish to gum up the Internet works; and folks on
the other side who are saying the Internet is too important to us to simply
"trust you" without any guarantees, oversight or participation in whatever
decision making is going on.

I think that whatever the merits of the individual positions the days when
the rest of the world would be content to "simply trust the USG" in a matter
where, if not now, at some point in the future, the US's vital interests
might be affected either in reality or as perceived through some sort of
ideological lens, are long gone.

M
 
-----Original Message-----
From: governance-request at lists.igcaucus.org
[mailto:governance-request at lists.igcaucus.org] On Behalf Of David Conrad
Sent: Tuesday, June 12, 2012 2:24 PM
To: governance at lists.igcaucus.org
Subject: Re: [governance] "Oversight"


Parminder,

On Jun 12, 2012, at 7:53 AM, parminder wrote:
> In any condition that US law and executive power considers special - 
> whether IP enforcement or security/ warfare related, all US based root 
> servers will be obliged to fall in line.

I'll admit some difficulty understanding the actions you argue the USG would
be forcing root servers to comply with.  Could you provide a concrete
example of what you're concerned about?

> Although David says DNSSEC does not change this situation at all, from 
> his own description of the processes involved, I see that DNSSEC 
> implementation greatly increases the various costs of non publishing 
> of the authoritative root file as communicated from Verisign's server.

I'm sorry I'm not explaining things clearly enough.  Let me try it this way,
completely ignoring the role the root server operators may (or may not) play
since you find that unconvincing:

Assume the USG forces Verisign to remove .IN from the root zone. A query for
<anything>.IN will then result in a "name error" response being returned to
the querying resolver (typically operated by ISPs).  With DNSSEC, some
cryptographic data is also returned that allows the resolver to prove (in
the mathematical sense) that the holder of the root zone signing key
(Verisign) agrees that the "name error" should be returned.  Without DNSSEC,
you still get the "name error", the resolver just can't prove that's what
the holder of the zone signing key intended.

So, we now have a root zone(provably, if you bother to verify the DNSSEC
data) without .IN in it.  Let's say you run an ISP anywhere in the world.
Now, _all_ of your customers that attempt to connect to any website in the
.IN domain will get "name does not exist" in their web browsers, email
programs, bittorrent clients, etc.  Your customers are probably not going to
assume it is because the USG removed the .IN domain, rather they're more
likely going to assume you screwed up somehow and call you to scream at you.
After a sufficient number of calls (which, depending on the scale of your
ISP, will probably be from minutes to hours), you'll most likely fix the
problem for your users by getting a copy of the root zone, reinserting the
.IN data into that copy, and putting that root zone on your resolvers.

Since you have fixed the problem in your resolvers, the fact that the root
zone is DNSSEC-signed is completely irrelevant. DNSSEC only protects the
resolver's cache from getting crap data inserted into it.  Your customers,
by using your resolvers, trust you to return accurate data.  The _vast_
majority of those users will never see DNSSEC-related information since the
resolver strips that information out when responding to client (e.g., web
browser) requests.  For those users that actually know enough to request
DNSSEC information, they will undoubtedly know enough to solve the problem
the same way you did.

So, the end result of the action taken by the USG is to completely remove
the USG from any role in administering the root zone while at the same time
generating vast amounts of (both domestic and international) outrage and
destabilizing the Internet.  The USG would want to do this because?

> Do you still think other countries can trust the US with oversight 
> control over such a vital infrastructure as the Internet?

The part that I believe you're missing is that there actually is no control,
oversight or otherwise.  Because of the decentralized nature of Internet
operations, the Internet only works because everyone (primarily ISPs) agrees
that it should work (what Mitch Kapor termed "The Tinkerbelle Effect" at a
meeting back in the early 90s). In my view, the role ICANN plays (or,
perhaps more accurately, was intended to play) is to allow people to get
together to agree on how a part of the Internet should work and my
impression is that the USG merely tries to ensure ICANN follows its own
policies and procedures to do this. Your assertions that the USG is going to
go rogue and force bad things to be done to the root of the DNS ignores the
fact that those bad things only have effect if everyone (primarily ISPs) all
around the world agree that those bad things should occur.  I am a bit
skeptical this would occur.

Regards,
-drc




-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t

More information about the Governance mailing list