On Thu, Nov 5, 2009 at 5:44 PM, Steve Crocker <steve(_at_)shinkuro(_dot_)com>
Full disclosure: I serve on the ICANN board of directors, and I chair
ICANN's Security and Stability Advisory Committee (SSAC). Both of these are
volunteer, i.e. unpaid, positions, but ICANN does pay my travel expenses for
It's mildly amusing to see how this thread has drifted from where it
started. Also annoying. See inline for responses.
On Nov 5, 2009, at 12:53 PM, John Levine wrote:
As near as I can make out, ICANN collects bucketloads of cash without
really having any idea why. The only rationale seemed to be to pay a
rather surprising large salary to the CEO.
Agreed, except for the surprise part. The whole staff is paid
impressively large amounts and has been as long as I've been watching
ICANN. They seem to feel that their peer organizations for
compensation purposes are investment banks rather than other
I don't have access to the salaries of individual employees, and I doubt you
do either. In general, ICANN pays its staff competitively in order to
attract and retain skilled people. A very large number of people also
participate in ICANN as volunteers, similar to the way the IETF, ISOC and
other organizations work.
$722,079 for the services of Twomey was far more than he could have
expected in any other role and far more than his performance in the
In response to John,: I think that prior to his appointment all of us
would be very surprised to know what Twomey would be making in a few
Beckstrom can clearly demand a very substantial salary in other roles.
That is why I used the past tense.
Instead they are currently looking to raise even more money through
the sale of TLDs but last time I heard were curiously uninterested in
providing any material support to the root operators who would be
bearing the expense of supporting these new domains.
If I were a root server operator, it would take an implausibly large
amount of money to be worth the strings that ICANN would attach. A
key reason that the DNS still works is that there's no root server
contract, so the root operators can individually or jointly tell ICANN
to pound sand if they don't care for the root zone that ICANN offers
them. Hence ICANN is very cautions about changes.
This is multiple pieces of nonsense:
o ICANN is very cautious about changes to the root because that's the right
thing to do. A huge amount of work goes into vetting each and every
requested change. To suggest they are cautious only because of the root
operators is both factually wrong and insulting. It's really time to stop
bashing the ICANN staff. When they make a mistake, they'll admit it and fix
it. The competence level inside ICANN is surely as good as in the IETF and
One of the problems of living in the US is that there is really very
little experience of long lived institutions. Let us stipulate for the
sake of argument that all the current staff are competent, what
guarantees do we have for situation 20 years from now, how about 50?
How about 500? There is a College in Oxford that is currently facing
the imminent expiry of its 499 year lease.
I really don't think that this degree of thinking is evident in the
design of ICANN.
The type of situation that we can end up in is illustrated by the
French recording rights society, which U2 withdrew their songs from
after receiving a pittance (I seem to rememer it was less than $100)
while the President of the organization proudly unveiled the grandiose
multi-hundred million dollar building on which the money collected on
behalf of U2 and the other artists had been spent.
o The idea that the root operators would actually catch or stop errors in
the root zone is more fantasy than reality. The root operators are highly
automated and don't generally look at the content of each update of the root
zone. At a recent meeting in the EU, a senior official at a major registry
made the claim that the root operators were the last line of defense against
malicious or capricious behavior by ICANN or the U.S. Government, and that
DNSSEC would diminish the ability of the root operators to protect a
registry from being removed from the root zone. I took the opportunity ask
if the root operators were, in fact, ready, willing and able to serve in
such a capacity. If so, were there realistic plans and practice in place?
We're living in a post 9/11 world where organizations take such questions
seriously. They prepare plans and they practice dealing with contingencies.
I followed up with the root operators at a subsequent meeting. No such
plans exist, and the root operators do not seem inclined to organize
themselves to act in such a capacity. (I'm not taking a position pro or con
as to whether they should have such a role. I'm only saying there's no
connection between the claim that they have this role and any realistic
chance that they would actually do so today.)
Steve, it appears that you do not understand the security concerns
that are driving the politics of DNS.
The concern that ICANN might drop the Palestine zone out of the root
is precisely the source of the Egyptian delegation concern. That is
the reason why the ex-Interim Prime Minister of the Palestinian
authority took the time to meet with Twomey, I can assure you that it
was no social call.
The concern that ICANN might drop Cuba out of the root zone is one of
the principal drivers of the Brazilian concerns.
The Russian and French delegations have no specific concerns that they
have voiced to me but they certainly understand that ICANN has power
over the communications system that is only checked by the US
government, if at all.
Some folk in the old US State department thought this situation was
just dandy. Some folk in the new administration are less than happy
with the situation. It means that all it takes to create an
international crisis is for some fool in Congress to put in a bill to
force ICANN to drop Cuba, Palestine or whatever other country they
want to grandstand against out of the root.
There is no particular secret to learning these concerns, you just
have to do some active listening.
Whether the concerns are credible or not, they are genuine. And some
of the people who hold them have the power to ensure that DNSSEC is
not deployed in their country.
The idea that the root operators would serve as the last line of
defense is not as naive as you imagine. The threat does not need to be
very credible to ensure that ICANN is kept in line. Nor is it the
'root operators' who are the real last line of defense, rather it is
the ISPs that route the address blocks for the IP addresses that they
Let us imagine that some Florida Congressman decides to grandstand
with an amendment to force ICANN to drop Cuba out of the root. The
preparations to protect against the damage would begin the minute the
bill was published. The Internet community is pretty quick to respond
in such cases, I don't think it would take more than a day before
backup roots were ready to deploy if necessary.
Since it is pretty clear that the rest of the world would move to a
non-ICANN root regardless of the level of reliability it provides in
preference to a root that is intentionally broken by the US Congress,
the contingency planning does not need to be particularly thorough.
This is explained to the Congressman by the State department in words
of few syllables and the bill is quickly dropped.
Note the interior political dynamic here. The problem is not 'the US',
it is one egotistical member of Congress who has the power to create
an international incident through grandstanding.
DNSSEC completely disrupts that delicate balance of interests. If the
DNSSEC root of roots is widely deployed in embedded devices according
to current plans, a defection by ICANN becomes a real risk. At that
point there is no certainty that the plan to drop out Cuba will fail.
Most importantly, the State department now has to spend real political
capital to ensure that the bill is dropped - if it chooses to do so.
Perhaps the President prefers having their vote for Health Care or
Now you have two approaches that you can take here. The first is that
you can continue to ignore an issue that has created real concern
outside the US, or you can look at minor modifications to the DNSSEC
architecture that allow the concerned parties to be co-opted.
The real political problem here is that the Internet does not provide
enough important jobs for everyone to feel included. So a technical
architecture that provides more jobs for people to do, provides a
means of co-opting those parties.
If you look at the original Web of Trust paper by Phil Z. you will
note that his original plan had an option for quorate voting to
establish trust relationships, an idea later implemented in SDSI. A
mechanism that allowed for multiple root signers would give the
Brazilian, French and Russian delegations something to take home to
their governments and say 'this is how we can address the
concentration of US interest'.
We have 13 root servers, we should plan to have at least 13 apex
roots. In fact we should allow anyone who wants to do so to become an
apex root signatory and relying parties should have the option to
choose whoever they please as and whatever voting criteria they
The nice thing about this approach is that it re-establishes the
previous situation where the risk of defection is controlled by
removing the expectation of success rather than through the
traditional approach of making defection difficult. No single apex
signatory would be universally trusted so there is no risk of
universal failure. And each relying party chooses multiple apex
signers to trust so defection by a single signer does not even result
in a local failure. If there is no expectation of failure there is no
reason to default. So the only failures that might occur at an apex
signatory would be through mistake rather than malice.
This situation is considerably better for ICANN as well, if we replace
'Cuba' with 'Palestine', the CEO and staff of ICANN are suddenly on
the front line of an irredentist dispute. What do people fight over in
irredentist disputes? They fight over symbols, the WTC was attacked in
9/11 because its owners had set themselves up as a symbol of the
Now as I said earlier, you can continue to ignore such security issues
and tell everyone that they should not be at all worried by your
friends. But lets face it, DNSSEC has been 'about to' deploy for the
past ten years and has been 'expected soon' ever since I first met you
almost fifteen years ago.
You cannot deploy an infrastructure change by designing to the 80:20
rule. You can't even do it by addressing the concerns raised in the
working group. You have to go out there and look under the rocks and
find out what is lurking there.
Again, DNSSEC is a security protocol, your intended early adopter
audience is made up of people who are unreasonable and paranoid. So
don't complain when we say that we do not trust ICANN.
o There's no basis at all for saying anything at all about what strings
ICANN would attach to support for the root operators. The root operators
aren't asking for support, so the question simply hasn't come up.
But that overlooks the fact that only four of the root servers
survived the great DDoS attack. And two of those are run by VeriSign.
So ICANN's failure to recompense the root operators for their services
further deepens the vendor capture issue that is the reason that
Twomey really was never worth three quarters of a million bucks a
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
Ietf mailing list