[governance] Root Server

parminder parminder at itforchange.net
Sun Jul 27 04:36:01 EDT 2014


David

I agree with all your statements of fact below, though not necessarily 
with what you yourself describe as - or will agree are - opinions.

In my view, the operative part in your email below is

"My guess is that if the US government were to run amok and modify the 
root zone outside of existing policy/process, most of the root server 
operators (including the US ones not directly affiliated with the US 
government) would choose (e) as a first step, followed (as quickly as 
possible) by (d).  The ones outside the US would probably do (c), 
followed quickly by (d).  "

And I will repeat your (c), (d) and (e)

"c) refuse to serve the new zone and maintain the last known good zone, 
at least as long as the DNSSEC signature is valid"
"d) obtain a different root zone (signed under a new key) from a new 
maintenance/signing body"
"e) turn off their root server"

Leaving the intermediary steps (c) or (e), you agree that in case US 
makes any root changes outside the ICANN process ( motivated by, say, 
the US executive's needs or a court order) a new root maintenance/ 
signing body will immediately be needed. That is pretty big, youd agree.

However, at the opinion level, you simply discount the possibility of 
such an action emanating from the US gov/ courts bec you think that it 
contravenes US's existing policies and record.

You responded to McTim's question about a possible Indian government's 
interference with a (now) possible India located root server not just by 
a political 'opinion' that India is unlikely to do such an act which 
violates global Internet's integrity and would be against its formal or 
informal global commitments. You actually developed a scenario of how 
such an act by the Indian government would simply be of little practical 
value, and therefore implying that (1) India would probably not do it, 
and (2) even if India did it, the global Internet will be largely safe. 
Fair enough.

Perhaps you might realise that Indian record of entering into and 
fulfilling international obligations is by far much better than of the 
US. In fact, the US has kind of, perhaps, the worst global record for 
unilateral actions in defiance of global norms when it suits its own 
interests. If you disagree, we can discuss this point further. (BTW, I 
am sure you have heard of drone attacks on Pakistan territory, often 
guided simply by the location data of a targetted mobile phone!)

Therefore, as McTim and apparently you seek/ build forward-looking 
scenarios to ensure the safety of the global Internet in the imaginary 
case of India getting one among many of the root servers and then one 
day deciding to do something funny and out of order, why should we, as a 
global community, not think of such forward looking scenarios with the 
US sitting over the single authoritative root file.

And as we think of such a scenario and see that if US executive or 
courts ever order one root change outside the ICANN process we will 
immediately need a new root zone maintenance/ signing body (obviously 
out of the reach of US's jurisdiction), I dont see why we should not 
already be seeking such a body (subject to international instead of Us 
law). I as a non US citizen certainly do not see any reason. In fact we 
now already have a US court decision to sieze .ir from the root file.

Where else do we wait for a complete disaster to actually take place 
before we start to make arrangements to safeguard ourselves from 
disasters? This one is imminent. If it is not this court order, it will 
certainly come sooner than later with regard to the hundreds of new 
gtlds that are being instituted. I often use the example of a generic 
drugs company doing global trade in generic drugs whose gtld is sought 
to be seized by big pharma through US court action. In fact, the 
application of US jurisdiction already could be having the 'chilling 
effect' of dissuading some global business from seeking and using gtlds 
in any major way because it makes a very big component of their business 
subject to US law, which they may or may not want to happen.

Are these not major problems of global governance. IANA transition issue 
is supposed to be basically about these huge current and impending 
problems. We need global discussions about them and their possible 
resolution.... The fact that we have a complete sham being carried out 
right now in the name of IANA transition is something at least civil 
society should sit up and reflect about...

parminder

On Sunday 27 July 2014 09:51 AM, David Conrad wrote:
> Parminder,
>
> On Jul 26, 2014, at 9:19 AM, parminder <parminder at itforchange.net 
> <mailto:parminder at itforchange.net>> wrote:
>> Your whole argument below depends on making a clean distinction 
>> between scenario 1: all root servers acting as one - the root server 
>> community, and scenario 2;  one root server operator  takes a defiant 
>> stand.
>
> McTim asked 'The question in my mind is "would those governments be 
> willing the serve the root without censorship?"'
>
> I generally do not consider imposing censorship taking "a defiant 
> stand", but I gather you have a different view.
>
>> We know that it is only the US gov that can today make a 
>> 'problematic' change in the root.
>
> For such a "problematic" change to be made, the US government would 
> have to contravene pretty much every Internet and telecommunications 
> policy they have instituted and promoted since (at least) 1996 or so. 
>  Could the US government do so?  In theory, yes. In theory, the host 
> country of the entity making changes to the root zone could do a lot 
> of things. However, since the Internet has been in operation, the US 
> government has not made "problematic" changes in the root despite 
> being at war, imposing sanction, having had embassies overrun, not 
> having diplomatic relations, changing from Democratic to Republican 
> and vice versa a number of times, etc., etc.  I remain skeptical that 
> the US government would see it in their best interests to make one of 
> these "problematic" changes. However for the sake of argument...
>
>> It should be obvious that when US gov does it, the root servers owned 
>> by the US gov will follow suit. Next, it is extremely unlikely that 
>> any such 'problematic change' will be made without some kind of legal 
>> backing, whether of the foreign assets regulation kind or one about 
>> alleged intellectual property violation.
>
> Presumably you mean "_with_ some kind of legal backing".  Again, for 
> the sake of argument, I'll just ignore the likelihood of lawsuits, 
> appeals, temporary restraining orders, etc.
>
>> In either case, or other possible similar ones, all US based root 
>> serves (10 out of the total of 13) will have to comply and follow the 
>> changes made by the US gov in the authoritative file. That leaves the 
>> 3 non US root server operators... With the DNNSEC in operation (and I 
>> have always contended, even otherwise) they do not have much of an 
>> option.
>
> Of course they have options -- they provide root service voluntarily 
> after all. I believe an exhaustive list of those options would be:
>
> a) serve the new zone unmodified
> b) modify the zone and serve it
> c) refuse to serve the new zone and maintain the last known good zone, 
> at least as long as the DNSSEC signature is valid
> d) obtain a different root zone (signed under a new key) from a new 
> maintenance/signing body
> e) turn off their root server
>
> Of those option (and assuming for simplicity the Evil US government 
> has removed a top-level domain as one example of their evilness):
>
> - If (a) is chosen, and validating resolver operators do nothing, the 
> Evil US government wins.
>
> - If (b) is chosen, validating resolvers will ignore the responses. 
> Resolvers that do not validate would serve back the responses to end 
> users, but this would likely result in end user confusion as sometimes 
> names would resolve and sometimes they wouldn't (depending on which 
> root server the resolver happens to query).
>
> - If (c) is chosen, validating resolvers will continue to work and 
> their operators would have a couple of weeks to figure out what they 
> wanted to do. However, as with option (b) there would likely be end 
> user confusion as depending on what root server the resolver queries, 
> the same name may or may not resolve.
>
> - If (d) is chosen, validating resolver operators would need to update 
> their trust anchors to point to the new signing authority and only 
> list the root servers serving the zone under the new key.  Since 
> presumably all the root servers listed would have a consistent root 
> zone, there would be no end user confusion.
>
> - if (e) is chosen, load would shift to the remaining root servers, 
> potentially resulting in resolution failures as the other root servers 
> began to get overloaded (unless action were taken to expand the 
> capacity of the remaining servers, of course).
>
> My guess is that if the US government were to run amok and modify the 
> root zone outside of existing policy/process, most of the root server 
> operators (including the US ones not directly affiliated with the US 
> government) would choose (e) as a first step, followed (as quickly as 
> possible) by (d).  The ones outside the US would probably do (c), 
> followed quickly by (d).
>
> However, you'll note from the above that the important players aren't 
> really the root server operators.  Root servers are, after all, merely 
> a distribution channel. I personally believe their operators would, in 
> the face of out-of-policy changes, choose not to play, but that's just 
> my opinion. What isn't an opinion: the folks who really matter in 
> these scenarios are the resolver operators.  It is the resolver 
> operators that control the list of root servers to query and the 
> DNSSEC key to trust (and whether or not they even bother with DNSSEC). 
>  And many of the larger resolver operators already mirror the root 
> zone themselves so they don't actually even query the root servers. 
> Since they fetch the root zone themselves, it is easy for them to 
> fetch it (and its trust anchor if they're doing DNSSEC) from a 
> different place than they do now.
>
> So, in the scenarios you posit, the end result would be to force 
> migration away from the current system (the one the US has been 
> arguing for for almost 2 decades) and at the same time, creating a 
> vast amount of instability and potential for end user confusion. I 
> remain highly skeptical that _anyone_ in the US government would see 
> this in their best interests. Ever. So perhaps we'll just have to 
> agree to disagree.
>
>> Considering that many if not most of these new root servers may go to 
>> developing countries, in the same way that there are strong developed 
>> country alliances, it is very likely that an operator in India will 
>> have agreement with another in Ghana and  a third one in Argentina to 
>> stick out against any effort by the US to unilaterally enforce its 
>> law and/ or standards on the world.
>
> Just in case it isn't obvious, DNS resolvers do not understand 
> geo-political boundaries. Most resolvers pick the root server that 
> responds the quickest, which is typically the server that is network 
> topologically, not necessarily geographically or geo-politically (even 
> within a country), closest (some resolvers always pick root servers at 
> random, but these are increasingly rare).  However, again for the sake 
> of argument, ignoring that...
>
> The options I list above would apply to the root server operators in 
> India, Ghana, Argentina, etc. as well. What agreements the root server 
> operators have among themselves isn't particularly relevant. What 
> matters is who the resolver operators trust. Unless the root server 
> operators in India, Ghana, Argentina, et al., also got into the 
> business of generating and signing a root zone that they would then 
> serve along with distributing the trust anchor for that root zone (and 
> get resolver operators to configure that trust anchor), it isn't clear 
> to me the point of such an agreement (well, other than political 
> grandstanding).
>
> Regards,
> -drc
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20140727/ea0cf70d/attachment.htm>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t


More information about the Governance mailing list