I think that some folk besides myself have to do some wargaming to consider
what the political consequences of signing the root might be.
Consider that this is an infrastructure which needs to be robust over a
timescale of several decades if not centuries. Consider also the likelihood
that whoever is in charge of the root might perform an action that some party
might consider a defection over such an extended timescale.
For example, a small but vocal group of voters in the western southern
peninsular of state A consider themselves to be political exiles from state B,
an island in the vicinity of the peninsular. State A has a particular position
of influence over the root and said voters lobby for the exclusion of state B.
If such a thing were to happen today the result would be a temporary fracture
of the root followed by the rapid emergence of an alternative root structure
that was not subject to abusive influence from state A. The parties have
authority but not power. If the root is signed by a unitary entity, that entity
has absolute power. A defection cannot be countered by a fracture of the root.
Today scope for defection is kept in balance by the lack of security. The root
is ultimately defined by the location to which a particular network provider
directs UDP packets with the root server IP address. After signing the root
will be defined by the knowledge of the private key corresponding to the widely
distributed embedded public key.
Consider the fact that Europe is currently planning to duplicate the GPS
satelite system at a cost of several billion dollars despite the fact that the
sole point in doing so is to prevent a similar defection on the part of the US.
The idea that control of the DNS root will not be subjected to even more
considerable geo-political pressure is naïve. In 1995 deployment could have
taken place without attracting undue attention, that is not the case today.
So no, I don't think that there will be a unitary signer. The architecture is
inherently flawed. Rather than have a single party sign the root we should
probably look to a situation where there are multiple signer entities.
-----Original Message-----
From: John C Klensin [mailto:john-ietf(_at_)jck(_dot_)com]
Sent: Wednesday, August 29, 2007 9:32 PM
To: David Conrad; Mark Andrews
Cc: IETF-Discussion; iesg(_at_)ietf(_dot_)org
Subject: Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt
--On Wednesday, 29 August, 2007 16:43 -0700 David Conrad
<drc(_at_)virtualized(_dot_)org> wrote:
If you start mucking about with production services that require
configuration on the part of system administrators (particularly in
the somewhat arcane world of DNSSEC trust anchors), it can become
quite difficult to stop that production service without breaking
stuff. Is this a place we want to go for a temporary hack?
David,
Are you prepared to answer the question as to when the plan
for getting the root signed as originally intended (whatever
that plan now is) is going to be executed?
To an outsider with no particular knowledge of what is going
on, the impression is that actual root-signing is receding at
approximately one month per month, if not a little more quickly.
If that were in fact the trend, and it were to continue, then
concerns about transition from a DLV-based mechanism to a
signed root would be largely irrelevant.
Conversely, if there were a definite plan for getting the
root signed within, say, the next few months, then it seems
to me that even discussing formalizing DLV mechanisms for the
root by having IANA create a new registry is a waste of time.
On the other hand, if there is no realistic plan and
schedule, and you don't like Sam's idea, do you have
constructive suggestions as to how it can be made acceptable?
I do not believe that "we should just wait until the root is
signed but are not able to say anything specific about when
that might be" is a useful response at this point. It might
have been a plausible position a year ago but, by now,...
john
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf