Re: national security
2003-11-30 23:57:34
Dear Paul,
Thank you for your response even if it is not to the question asked. I
never made any proposal. I have listed suggestions made by different
parties (I certainly takes seriously) to address real life problems of
immediate security for nations subject to catastrophe, war, international
fights or confronted to a netwok collapse.
And I asked for serious warnings, anlyses, advices, alternative suggestions.
At 19:47 30/11/03, Paul Vixie wrote:
this statement is akin to many others made in ignorance of what dns is. you
are treating it as a mapping service. perhaps you have been successful at
treating dns as a mapping service in some local context, and this may have
led you to the impossible conclusion that dns itself is a mapping service.
dns is a coherent, distributed, autonomous, reliable database. "distributing
the root" as you claim to believe is necessary would create multiple domain
name systems,
Amusing. Yes I experimented that in 78. And some where unhappy :-). I will
not tell you the DNS is several things to achieve a common purpose which
addres maping. The way it does it _tryies_ to be a coherent, distibuted,
autonomous, reliable database. What by essence it never is, except if you
stop feeding it and you wait for all the TTL to die.
Here, we are in the case it is impeached to continue trying.
not *a* domain name system with a distributed root. there is no
way to have *a* domain name system with a distributed root unless we (ietf
or other similar agencies) first defined what that meant.
Interesting. Which agency? An agency under cooperation agreement with ICANN
or NTIA, or a standarization body like ITU, or the P2P standardization
committee.
Anyway, I do not look for a fundamental debate. But for serious,
experienced and documented considerations about the flexiblity of the
existing system and its capacity to effectively sustain some duress under
necessity. And how to best specify/design the solutions then to use.
when you're ready
to commission a multiyear study which would yield documents of the same size
and scope as rfcs 1033+1034+1035+2181, then you'll have demonstrated that
you have some understanding of what you're asking for .
NSA started the study. Work is engaged by the WH.
http://whitehouse.gov/pcipb. ICANN has documented the way it should be done
(ICP-3). NSI has commited a 500 million budget on DNS. Other projects are
at works. The target now is to know what to in the meanwhile and what to do
to protect onselef from their results.
and note that you would then have to "sell" the resulting system to the
internet populance which includes end users, domain holders, registrars,
registries, ISPs, and as you point out, nations. lots of luck, but "that
ship already sailed."
:-) amusing. The world lived millions years without the DNS. For 20 years
international data nets created naming but lived without the DNS. True, for
less than a decade, since the Web, the world faces a management problem
because IETF has kept with an early 80's applications architecture. 3/4 of
the world is just telling USA (WSIS, this week) "okay for your 'root
bluff': how much".
Naming was not created by the DNS and will survive the DNS. The DNS
application is a good example of an extended service but it must adapt to
the current needs. It is a 1983 car. It is brillant, it has been
refurbished a lot, but still it is a 1983 vintage.
in no particular order, i'll address a couple of your other comments.
> 5. the possibility of a redundant DNS system. Today the Internet has two
> root files (the same file but presented on two main systems - DNS and
FTP).
> If one is hacked there is not reference. A redundant system would consist
> in two or more root masters refereeing to different sets of TLD name
> servers (all of them carrying the same files, but possibly of different
> origins for security reasons).
there is a reference. several references, actually.
hey! Is not a reference unique? As, John would say: wich unique master is
the master?
there is no possibility of a "hack" going undetected or uncorrected.
Not disputing that. The point is: what is the worst impact of one of the
unique copies being hacked and detected. What are the recovery procedures?
What are the control procedures? Are they fool proof? Are they accepted by
users?
Police is often immediately notified bank robberies. Yet hold-ups hurt and
kill people every day. We are not salesmen here. But cops and insurance
companies.
Most of all when the hacker seats in the Oval Office, what is the solution?
Kaspurcheff was not the only root hacker to be known. Jon Postel was too.
WTC was built to resist the worst winds. Not 747s. Many people regret it.
Our role is to make sure it does not to happen again.
but more important, if you had several "root files" which indicated
different servers for some TLD's, you would have (by definition) several
domain name systems,
1. there are two different root files in use each time there is an update
and update may take long.
2. you jump at war conditions. You assume that these root files would be
different. Opposite to the suggestion. To the countrary the suggestion is
to help making sure the root files do not differ, beause they do not differ
from reality, in adding mutual consistency controls.
3. you presume the resulting name spaces are conflicting. While the
hypothesis is they are not. .
The TLD Manager is authoritaive on his zone. That I cannot access these
authoritative systems and may be incurred heavy losses in live or money,
without a possibly absent or agressive third party 15 K public file
produced by an NTIA secretary, is NOT acceptable, it is ridiculous.
All the more than today you will not remove from Gov's minds, that the
permitted flexibility is of several monhs: they have been taught that by
ICANN over KP&Quest.
not a domain name system with high redundancy.
Redundancy in error is more error. Parallel root systems, means - if there
is a conflict - that one is true and one is wrong. I prefer both are true.
But I prefer confusion than both being wrong. What I expect from you is to
discuss how to come back quickly to a proper situation, and how to handle
the situtation if necessity (conflict) makes there are two roots.
Actually what we devised and started testing is a three root system, with
mutual monitoring. The majority decides and the different one dies - or
actually should be physically shut (nothing makes sure it will want to
die). The interest was only to set-up the test bed, not to develop and test
a particular logic.
Every human system/development involves risks at some stage. How many
deaths the DNS today, how many potential? WH's Richard Clarke gave a
response. I know IETF does not like him, but no one has the right to
overlook it.
This being accepted. Question. how to best configure the servers, what to
change in the progams to reach the best (or last worst) securrity.
Question. If an ennemy root system is imposed on me. Cf. Karl/Randy exchange.
Question.What was done over NSI service to curb the authoritative
infromation given by a TLD manager, was it not to create an alternative
name space? If you think it was ligitimate you only make it an act of
resistance to NSI's abusive but legitimate right and power. Would that be
only reserved to some on the planet?
until you demonstrate some understanding of that fundamental and
definitional aspect of dns, you won't be taken seriously among the
community who does understand those things.
please learn the basics before you come in here and start making proposals.
Please go back to my initial remark.
Best regards.
jfc
|
|