[governance] NTIA says ICANN "does not meet the requirements" for IANA renewal

Daniel Kalchev daniel at digsys.bg
Mon Mar 12 05:09:01 EDT 2012 


On 12.03.12 10:50, Karl Auerbach wrote:
> It turns out that DNSSEC works fine with competing roots. In DNSSEC 
> keying information for each TLD is propagated *upwards* into each 
> different root. However, just as each root needs its own "hints" 
> information to get things started, it also needs its own root zone key 
> information. DNSSEC does not lock a TLD to any given set of root 
> servers. --karl-- 

Not the TLD of course - the problem is with users.

This just came in: draft-jabley-dnssec-trust-anchor-04.txt 
(https://datatracker.ietf.org/doc/draft-jabley-dnssec-trust-anchor/) 
with support already in Unbound and claims that Microsoft have already 
included support in Windows 8 Server.

Considering how most users don't really care about these things and 
expect them to "just work", the burden here starts to fall on software 
vendors.

With DNSSEC, the (too) long living concept that someone else has to 
resolve DNS for you will be finally dead, as to make good use of DNSSEC, 
validation has to happen on the end-node. This means, that ISP provided 
DNS service will be used only for the caching it provides, but will not 
be trusted.

Let's assume Microsoft indeed delivers true DNSSEC implementation in 
their OS (something they promised for Windows 7, if I remember 
correctly). This means, that when you connect your Windows 8 computer to 
Internet and if your ISP is trying to serve you with a different DNS 
root, your computer will reject any and all DNS responses, because these 
will not have valid signatures.
Unless of course, the alternative root operator has the "official" 
DNSSEC keys in their possession. In which case they do, indeed own the root.

Another 'technology' that will fail badly is the various middle boxes at 
'hotspots' that mess with DNS in attempts to redirect your traffic.

Your assumption, that one can reconfigure all of the Internet computers 
to use different root could work.. only under controlled environment. 
There is no way it could work on global scale. Which means there will be 
many small Internet islands created, and today nobody want's to be on an 
isolated island. Users will just change their ISP whatever, for the 
"real thing".

Or, in summary -- this alternative root business is already game over.

Or, in other words, right on the topic: we all want and need ICANN to 
make up their mind and behave.

Daniel

-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t

More information about the Governance mailing list