Re: national security

Dear Paul,
Thank you for your response even if it is not to the question asked. I 
never made any proposal. I have listed suggestions made by different 
parties (I certainly takes seriously) to address real life problems of 
immediate security for nations subject to catastrophe, war, international 
fights or confronted to a netwok collapse.
And I asked for serious warnings, anlyses, advices, alternative suggestions.

At 19:47 30/11/03, Paul Vixie wrote:
> this statement is akin to many others made in ignorance of what dns is.  you
> are treating it as a mapping service.  perhaps you have been successful at
> treating dns as a mapping service in some local context, and this may have
> led you to the impossible conclusion that dns itself is a mapping service.
>
> dns is a coherent, distributed, autonomous, reliable database.  "distributing
> the root" as you claim to believe is necessary would create multiple domain
> name systems,
Amusing. Yes I experimented that in 78. And some where unhappy :-). I will 
not tell you the DNS is several things to achieve a common purpose which 
addres maping. The way it does it _tryies_ to be a coherent, distibuted, 
autonomous, reliable database. What by essence it never is, except if you 
stop feeding it and you wait for all the TTL to die.
Here, we are in the case it is impeached to continue trying.

> not *a* domain name system with a distributed root.  there is no
> way to have *a* domain name system with a distributed root unless we (ietf
> or other similar agencies) first defined what that meant.
Interesting. Which agency? An agency under cooperation agreement with ICANN 
or NTIA, or a standarization body like ITU, or the P2P standardization 
committee.
Anyway, I do not look for a fundamental debate. But for serious, 
experienced  and documented considerations about the flexiblity of the 
existing system and its capacity to effectively sustain some duress under 
necessity. And how to best specify/design the solutions then to use.
> when you're ready
> to commission a multiyear study which would yield documents of the same size
> and scope as rfcs 1033+1034+1035+2181, then you'll have demonstrated that
> you have some understanding of what you're asking for .
NSA started the study. Work is engaged by the WH. 
http://whitehouse.gov/pcipb. ICANN has documented the way it should be done 
(ICP-3). NSI has commited a 500 million budget on DNS. Other projects are 
at works. The target now is to know what to in the meanwhile and what to do 
to protect onselef from their results.
> and note that you would then have to "sell" the resulting system to the 
> internet populance which includes end users, domain holders, registrars, 
> registries, ISPs, and as you point out, nations.  lots of luck, but "that 
> ship already sailed."
:-) amusing. The world lived millions years without the DNS. For 20 years 
international data nets created naming but lived without the DNS. True, for 
less than a decade, since the Web, the world faces a management problem 
because IETF has kept with an early 80's applications architecture. 3/4 of 
the world is just telling USA (WSIS, this week) "okay for your 'root 
bluff': how much".
Naming was not created by the DNS and will survive the DNS. The DNS 
application is a good example of an extended service but it must adapt to 
the current needs. It is a 1983 car. It is brillant, it has been 
refurbished a lot, but still it is a 1983 vintage.
> in no particular order, i'll address a couple of your other comments.
>
> > 5. the possibility of a redundant DNS system. Today the Internet has two
> > root files (the same file but presented on two main systems - DNS and 
> FTP).
> > If one is hacked there is not reference. A redundant system would consist
> > in two or more root masters refereeing to different sets of TLD name
> > servers (all of them carrying the same files, but possibly of different
> > origins for security reasons).
>
> there is a reference.  several references, actually.
hey! Is not a reference unique? As, John would say: wich unique master is 
the master?
> there is no possibility of a "hack" going undetected or uncorrected.
Not disputing that. The point is: what is the worst impact of one of the 
unique copies being hacked and detected. What are the recovery procedures? 
What are the control procedures? Are they fool proof? Are they accepted by 
users?
Police is often immediately notified bank robberies. Yet hold-ups hurt and 
kill people every day.  We are not salesmen here. But cops and insurance 
companies.
Most of all when the hacker seats in the Oval Office, what is the solution? 
Kaspurcheff was not the only root hacker to be known. Jon Postel was too.
WTC was built to resist the worst winds. Not 747s. Many people regret it. 
Our role is to make sure it does not to happen again.
> but more important, if you had several "root files" which indicated 
> different servers for some TLD's, you would have (by definition) several 
> domain name systems,
1. there are two different root files in use each time there is an update 
and update may take long.
2. you jump at war conditions. You assume that these root files would be 
different. Opposite to the suggestion. To the countrary the suggestion is 
to help making sure the root files do not differ, beause they do not differ 
from reality, in adding mutual consistency controls.
3. you presume the resulting name spaces are conflicting. While the 
hypothesis is they are not. .
The TLD Manager is authoritaive on his zone. That I cannot access these 
authoritative systems and may be incurred heavy losses in live or money, 
without a possibly absent or agressive third party 15 K public file 
produced by an NTIA secretary, is NOT acceptable, it is ridiculous.
All the more than today you will not remove from Gov's minds, that the 
permitted flexibility is of several monhs: they have been taught that by 
ICANN over KP&Quest.
> not a domain name system with high redundancy.
Redundancy in error is more error. Parallel root systems, means - if there 
is a conflict - that one is true and one is wrong. I prefer both are true. 
But I prefer confusion than both being wrong. What I expect from you is to 
discuss how to come back quickly to a proper situation, and how to handle 
the situtation if necessity (conflict) makes there are two roots.
Actually what we devised and started testing is a three root system, with 
mutual monitoring. The majority decides and the different one dies - or 
actually should be physically shut (nothing makes sure it will want to 
die). The interest was only to set-up the test bed, not to develop and test 
a particular logic.
Every human system/development involves risks at some stage. How many 
deaths the DNS today, how many potential? WH's Richard Clarke gave a 
response. I know IETF does not like him, but  no one has the right to 
overlook it.
This being accepted. Question. how to best configure the servers, what to 
change in the progams to reach the best (or last worst) securrity.
Question. If an ennemy root system is imposed on me. Cf. Karl/Randy exchange.

Question.What was done over NSI service to curb the authoritative 
infromation given by a TLD manager, was it not to create an alternative 
name space? If you think it was ligitimate you only make it an act of 
resistance to NSI's abusive but legitimate right and power. Would that be 
only reserved to some on the planet?
> until you demonstrate some understanding of that fundamental and 
> definitional aspect of dns, you won't be taken seriously among the 
> community who does understand those things.
> please learn the basics before you come in here and start making proposals.
Please go back to my initial remark.
Best regards.
jfc