[governance] Root Server
David Conrad
drc at virtualized.org
Fri Jul 25 10:10:54 EDT 2014
Parminder,
There is no change in my position.
Presumably, you can see the difference between these two cases:
1) the root server operator community refusing to accept an out-of-policy change coming from a compromised root zone generation process; and
2) a single root server operator unilaterally choosing to modify the contents of a valid zone.
In case #1, the root server operators can maintain the zone contents that existed prior to the out-of-policy change and the Internet's DNS will continue to work at least until the DNSSEC signature expires. This period of time would be sufficient for a separate signing and distribution infrastructure to be established and for the world's resolver operators to either abandon DNSSEC or for an emergency key roll to be performed.
In case #2, I believe it is quite unlikely a separate signing and distribution infrastructure would be established and even more unlikely all the world's resolver operators would be willing to do the emergency key roll to the new key, particularly since it would mean there would be a single root server. As a result, the single root server's responses would not validate.
In case #1, there would be tremendous disruption to the stability of the Internet's DNS. I believe the risk/cost of that disruption is (far) more than sufficient to deter any attempt to impose out-of-policy changes, particularly as it would be a "one way function": it would be impossible to reestablish any trust in previous system and all US government policy objectives related to the Internet would instantly be made moot. Since any attempt to modify the root out of policy would likely result in lawsuits, temporary restraining orders, etc., I believe there would be a vast amount of advance notice in which a separate signing/distribution infrastructure could be built should the US government go completely insane.
In case #2, the individual root server operator would simply be made largely irrelevant ("largely" because some resolvers would continue to probe the broken root server to see if it had been fixed, but none of the answers would validate so validating resolvers would simply drop those answers on the floor). I doubt the operator of that root server would see this as being in any way advantageous.
Hope this helps.
Regards,
-drc
On Jul 25, 2014, at 3:15 AM, parminder <parminder at itforchange.net> wrote:
> Over the years we - you and I - have had long discussions on this list about whether and what kind of control the US exercised on the root of the Internet. After a long argument from either side - certainly very informative to me - it will finally come to speculating on what would the non US (or even the US based but not US gov controlled) root servers do if US were to make a root change not authorised by a proper global gov body, basically ICANN at present. You would always insist that in your opinion these other root server operators will simply not follow suit - and not follow the 'wrongful' root change. I would argue that I very much expect them to fall in line - for legal reasons (in case of US based servers) and geo-political reasons (in case of non US ones, all being in US allied countries) . But since this counterfactual scenario could not be proven either way, that would end our discussion.
>
> What I see as interesting is your statement below now is that you *do not* see how other root server operators *may not* follow the changes in the authoritative root server (under US gov control). That is, you are saying they will *have to* follow the changes made in authoritative root file. But this is exactly the opposite of the argument that you always used to deadlock our conversations about the problem of US control over the authoritative root server. Will request you to share the reason for the change in your position, as I understood it? (I must mention here that our referred discussions took place after DNSSEC had been put into place, and I did quote the relevance of DNSSEC being used although I did say that I did not fully understand how it worked and used to seek your help to know more about it.)
>
> parminder
>
>
> On Thursday 24 July 2014 06:30 PM, David Conrad wrote:
>> McTim,
>>
>> On Jul 24, 2014, at 7:43 AM, McTim <dogwallah at gmail.com> wrote:
>>> The question in my mind is "would those governments be willing to
>>> serve the root without censorship?"
>> Given DNSSEC, that isn't really an issue.
>>
>> The more interesting questions are "who picks?", "how do they pick?", "under what terms and conditions will service be provided?", and "how are those terms and conditions enforced?".
>>
>>> So India for example might be willing to pay, but would they be keen
>>> to serve a root with .tata or .hindu in it?
>> If they modified the root zone, it would not validate. In most resolvers, this would mean that root server address would get deprioritized in the list of root servers that get queried. It would essentially be as if they didn't run the root server.
>>
>> Regards,
>> -drc
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20140725/30cc95c7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20140725/30cc95c7/attachment.sig>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
governance at lists.igcaucus.org
To be removed from the list, visit:
http://www.igcaucus.org/unsubscribing
For all other list information and functions, see:
http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
http://www.igcaucus.org/
Translate this email: http://translate.google.com/translate_t
More information about the Governance
mailing list