[governance] Root Server

parminder parminder at itforchange.net
Sat Jul 26 12:19:34 EDT 2014


David

Thanks for your response.

Your whole argument below depends on making a clean distinction between 
scenario 1: all root servers acting as one - the root server community, 
and scenario 2;  one root server operator  takes a defiant stand. But 
neither does this clean distinction hold in reality, nor is it valid vis 
a vis our earlier discussion, which clearly brought up the scenario 
where some root server operators(US gov controlled ones, and next, US 
located ones)will - or will *have to* - act one way,  and the other root 
operators then having to look at their options -  to follow suit, or 
split the root.

In terms of the existing situation, which was the subject of our earlier 
discussions:

We know that it is only the US gov that can today make a 'problematic' 
change in the root. It should be obvious that when US gov does it, the 
root servers owned by the US gov will follow suit. Next, it is extremely 
unlikely that any such 'problematic change' will be made without some 
kind of legal backing, whether of the foreign assets regulation kind or 
one about alleged intellectual property violation. In either case, or 
other possible similar ones, all US based root serves (10 out of the 
total of 13) will have to comply and follow the changes made by the US 
gov in the authoritative file. That leaves the 3 non US root server 
operators... With the DNNSEC in operation (and I have always contended, 
even otherwise) they do not have much of an option.

Now, in terms of a possible extension of the number of root servers (to 
20 or more), which possibility triggered this discussion:

Considering that many if not most of these new root servers may go to 
developing countries, in the same way that there are strong developed 
country alliances, it is very likely that an operator in India will have 
agreement with another in Ghana and  a third one in Argentina to stick 
out against any effort by the US to unilaterally enforce its law and/ or 
standards on the world.

Therefore, in either case, a neat distinction - between all root file 
operators acting as one, on one hand, and just one trying to go its own 
way, on the other - does not obtains, and is not valid. And it is such 
an imagined neat distinction that is the sole basis of your argument.

parminder

On Friday 25 July 2014 07:40 PM, David Conrad wrote:
> Parminder,
>
> There is no change in my position.
>
> Presumably, you can see the difference between these two cases:
>
> 1) the root server operator community refusing to accept an 
> out-of-policy change coming from a compromised root zone generation 
> process; and
> 2) a single root server operator unilaterally choosing to modify the 
> contents of a valid zone.
>
> In case #1, the root server operators can maintain the zone contents 
> that existed prior to the out-of-policy change and the Internet's DNS 
> will continue to work at least until the DNSSEC signature expires. 
> This period of time would be sufficient for a separate signing and 
> distribution infrastructure to be established and for the world's 
> resolver operators to either abandon DNSSEC or for an emergency key 
> roll to be performed.
>
> In case #2, I believe it is quite unlikely a separate signing and 
> distribution infrastructure would be established and even more 
> unlikely all the world's resolver operators would be willing to do the 
> emergency key roll to the new key, particularly since it would mean 
> there would be a single root server. As a result, the single root 
> server's responses would not validate.
>
> In case #1, there would be tremendous disruption to the stability of 
> the Internet's DNS. I believe the risk/cost of that disruption is 
> (far) more than sufficient to deter any attempt to impose 
> out-of-policy changes, particularly as it would be a "one way 
> function": it would be impossible to reestablish any trust in previous 
> system and all US government policy objectives related to the Internet 
> would instantly be made moot. Since any attempt to modify the root out 
> of policy would likely result in lawsuits, temporary restraining 
> orders, etc., I believe there would be a vast amount of advance notice 
> in which a separate signing/distribution infrastructure could be built 
> should the US government go completely insane.
>
> In case #2, the individual root server operator would simply be made 
> largely irrelevant ("largely" because some resolvers would continue to 
> probe the broken root server to see if it had been fixed, but none of 
> the answers would validate so validating resolvers would simply drop 
> those answers on the floor).  I doubt the operator of that root server 
> would see this as being in any way advantageous.
>
> Hope this helps.
>
> Regards,
> -drc
>
> On Jul 25, 2014, at 3:15 AM, parminder <parminder at itforchange.net 
> <mailto:parminder at itforchange.net>> wrote:
>> Over the years we - you and I  - have had long discussions on this 
>> list about whether and what kind of control the US exercised on the 
>> root of the Internet. After a long argument from either side - 
>> certainly very informative to me - it will finally come to 
>> speculating on what would the non US (or even the US based but not US 
>> gov controlled) root servers  do if US were to make a root change not 
>> authorised by a proper global gov body, basically ICANN at present. 
>> You would always insist that in your opinion these other root server 
>> operators will simply not follow suit - and not follow the 'wrongful' 
>> root change. I would argue that I very much expect them to fall in 
>> line - for legal reasons (in case of US based servers) and 
>> geo-political reasons (in case of non US ones, all being in US allied 
>> countries) . But since this counterfactual scenario could not be 
>> proven either way, that would end our discussion.
>>
>> What I see as interesting is your statement below now is that you *do 
>> not* see how other root server operators *may not* follow the changes 
>> in the authoritative root server (under US gov control). That is, you 
>> are saying they will *have to* follow the changes made in 
>> authoritative root file. But this is exactly the opposite of the 
>> argument that you always used to deadlock our conversations about the 
>> problem of US control over the authoritative root server. Will 
>> request you to share the reason for the change in your position, as I 
>> understood it? (I must mention here that our referred discussions 
>> took place after DNSSEC had been put into place, and I did quote the 
>> relevance of DNSSEC being used although I did say that I did not 
>> fully understand how it worked and used to seek your help to know 
>> more about it.)
>>
>> parminder
>>
>>
>> On Thursday 24 July 2014 06:30 PM, David Conrad wrote:
>>> McTim,
>>>
>>> On Jul 24, 2014, at 7:43 AM, McTim<dogwallah at gmail.com>  wrote:
>>>> The question in my mind is "would those governments be willing to
>>>> serve the root without censorship?"
>>> Given DNSSEC, that isn't really an issue.
>>>
>>> The more interesting questions are "who picks?", "how do they pick?", "under what terms and conditions will service be provided?", and "how are those terms and conditions enforced?".
>>>
>>>> So India for example might be willing to pay, but would they be keen
>>>> to serve a root with .tata or .hindu in it?
>>> If they modified the root zone, it would not validate. In most resolvers, this would mean that root server address would get deprioritized in the list of root servers that get queried. It would essentially be as if they didn't run the root server.
>>>
>>> Regards,
>>> -drc
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20140726/0aaaf7e3/attachment.htm>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t


More information about the Governance mailing list