[governance] Root Server

David Conrad drc at virtualized.org
Sun Jul 27 00:21:41 EDT 2014


Parminder,

On Jul 26, 2014, at 9:19 AM, parminder <parminder at itforchange.net> wrote:
> Your whole argument below depends on making a clean distinction between scenario 1: all root servers acting as one - the root server community, and scenario 2;  one root server operator  takes a defiant stand.

McTim asked 'The question in my mind is "would those governments be willing the serve the root without censorship?"'

I generally do not consider imposing censorship taking "a defiant stand", but I gather you have a different view.

> We know that it is only the US gov that can today make a 'problematic' change in the root.

For such a "problematic" change to be made, the US government would have to contravene pretty much every Internet and telecommunications policy they have instituted and promoted since (at least) 1996 or so.  Could the US government do so?  In theory, yes. In theory, the host country of the entity making changes to the root zone could do a lot of things. However, since the Internet has been in operation, the US government has not made "problematic" changes in the root despite being at war, imposing sanction, having had embassies overrun, not having diplomatic relations, changing from Democratic to Republican and vice versa a number of times, etc., etc.  I remain skeptical that the US government would see it in their best interests to make one of these "problematic" changes. However for the sake of argument...

> It should be obvious that when US gov does it, the root servers owned by the US gov will follow suit. Next, it is extremely unlikely that any such 'problematic change' will be made without some kind of legal backing, whether of the foreign assets regulation kind or one about alleged intellectual property violation.

Presumably you mean "_with_ some kind of legal backing".  Again, for the sake of argument, I'll just ignore the likelihood of lawsuits, appeals, temporary restraining orders, etc.

> In either case, or other possible similar ones, all US based root serves (10 out of the total of 13) will have to comply and follow the changes made by the US gov in the authoritative file. That leaves the 3 non US root server operators... With the DNNSEC in operation (and I have always contended, even otherwise) they do not have much of an option.

Of course they have options -- they provide root service voluntarily after all. I believe an exhaustive list of those options would be:

a) serve the new zone unmodified
b) modify the zone and serve it
c) refuse to serve the new zone and maintain the last known good zone, at least as long as the DNSSEC signature is valid
d) obtain a different root zone (signed under a new key) from a new maintenance/signing body
e) turn off their root server

Of those option (and assuming for simplicity the Evil US government has removed a top-level domain as one example of their evilness):

- If (a) is chosen, and validating resolver operators do nothing, the Evil US government wins.

- If (b) is chosen, validating resolvers will ignore the responses. Resolvers that do not validate would serve back the responses to end users, but this would likely result in end user confusion as sometimes names would resolve and sometimes they wouldn't (depending on which root server the resolver happens to query).

- If (c) is chosen, validating resolvers will continue to work and their operators would have a couple of weeks to figure out what they wanted to do. However, as with option (b) there would likely be end user confusion as depending on what root server the resolver queries, the same name may or may not resolve.

- If (d) is chosen, validating resolver operators would need to update their trust anchors to point to the new signing authority and only list the root servers serving the zone under the new key.  Since presumably all the root servers listed would have a consistent root zone, there would be no end user confusion.

- if (e) is chosen, load would shift to the remaining root servers, potentially resulting in resolution failures as the other root servers began to get overloaded (unless action were taken to expand the capacity of the remaining servers, of course).

My guess is that if the US government were to run amok and modify the root zone outside of existing policy/process, most of the root server operators (including the US ones not directly affiliated with the US government) would choose (e) as a first step, followed (as quickly as possible) by (d).  The ones outside the US would probably do (c), followed quickly by (d).  

However, you'll note from the above that the important players aren't really the root server operators.  Root servers are, after all, merely a distribution channel. I personally believe their operators would, in the face of out-of-policy changes, choose not to play, but that's just my opinion. What isn't an opinion: the folks who really matter in these scenarios are the resolver operators.  It is the resolver operators that control the list of root servers to query and the DNSSEC key to trust (and whether or not they even bother with DNSSEC).  And many of the larger resolver operators already mirror the root zone themselves so they don't actually even query the root servers. Since they fetch the root zone themselves, it is easy for them to fetch it (and its trust anchor if they're doing DNSSEC) from a different place than they do now.

So, in the scenarios you posit, the end result would be to force migration away from the current system (the one the US has been arguing for for almost 2 decades) and at the same time, creating a vast amount of instability and potential for end user confusion. I remain highly skeptical that _anyone_ in the US government would see this in their best interests. Ever. So perhaps we'll just have to agree to disagree.

> Considering that many if not most of these new root servers may go to developing countries, in the same way that there are strong developed country alliances, it is very likely that an operator in India will have agreement with another in Ghana and  a third one in Argentina to stick out against any effort by the US to unilaterally enforce its law and/ or standards on the world.

Just in case it isn't obvious, DNS resolvers do not understand geo-political boundaries. Most resolvers pick the root server that responds the quickest, which is typically the server that is network topologically, not necessarily geographically or geo-politically (even within a country), closest (some resolvers always pick root servers at random, but these are increasingly rare).  However, again for the sake of argument, ignoring that...

The options I list above would apply to the root server operators in India, Ghana, Argentina, etc. as well. What agreements the root server operators have among themselves isn't particularly relevant. What matters is who the resolver operators trust. Unless the root server operators in India, Ghana, Argentina, et al., also got into the business of generating and signing a root zone that they would then serve along with distributing the trust anchor for that root zone (and get resolver operators to configure that trust anchor), it isn't clear to me the point of such an agreement (well, other than political grandstanding).

Regards,
-drc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20140726/08c02189/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20140726/08c02189/attachment.sig>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t


More information about the Governance mailing list