[dns-wg] Re: root zone signing
- Previous message (by thread): [dns-wg] root zone signing
- Next message (by thread): [dns-wg] Re: root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dmitry Burkov
dburk at burkov.aha.ru
Mon Oct 20 18:55:17 CEST 2008
Jim Reid wrote: Jim, for me the issue - as I wrote in previous email to Joao - it is how it can be used in software in future. Depending on this - it can be critical. Second point - how it will be used for .arpa Third point (not related to DNS - sorry - but simular problem) - sidr and it's deployment. After that I want to remind that the political world is not hierarchical - and when we put something with legal background to technical implementation it will immediately raise political issues as it does not reflect reality. It seems me a problem even all of us have the best intentions. regards, Dima > On Oct 20, 2008, at 15:42, Dmitry Burkov wrote: > >> It also raises an old question about Internet governance and role of >> USG in this process as will enforce DoC position. >> Some people for years tried to explain root servers stability and >> practical independence from any one government now their arguments >> will fall down. >> In any of NTIA's proposed scheme it will be under one country >> regulation and if previously you can imagine partly functional ccTLDs >> even if zone was changed - >> now if signature will be invalid/recalled (don't know term in >> english) it will be more problematic. > > Dima, these questions will always be raised. Even if nothing is ever > done to the root. The point Joao made earlier still goes unanswered. > With an unsigned root, all changes to add, remove or update data in > the zone involve co-ordination with the DoC/NTIA. If/when the root is > signed, all changes to the root zone will still involve co-ordination > with the DoC/NTIA. So what's different? > >> When we begin to use digital signatures for infrastructure - may be, >> we miss the point that this tool is just a reflection of some real world >> relations and obligations and based on national laws and other lawyer >> stuff. >> Putting it on this part of the net we risk to involve all issues from >> real world. > > I appreciate that some people will feel that legal agreements are an > unavoidable consequence of signing. However that's a matter between > the each TLD (and its government?) and those co-ordinating the root. > There are no technical grounds for parent and child zones to have a > legal agreement underpinning their use of DNSSEC. So if a TLD wants to > have a signed delegation, they can do that with or without an > agreement or anything that could be viewed as an acceptance of the way > the root is managed today. If a TLD doesn't want to have a signed > delegation, then they don't have to. Nobody's being compelled to do > anything they don't want. > > And as far as I can tell, nothing's being proposed that will > compromise security or stability. Though there are obvious technical > and operational concerns about where the key(s) get stored, how their > managed and who's involved in that. > > IMO, there's no "lawyer stuff" here. At least as far as signing the > root is concerned. All that's happening is some TLD presents its KSK, > IANA verifies that key and then causes a signature over that key to be > generated. Which pretty much means that IANA is saying "we assert that > this was the TLD KSK that we checked": nothing more. > > Now there may well be lawyer stuff further down the tree. For instance > suppose .ru is signed. I would expect that the .ru registry would have > to consult the Russian government and Russian law about what that > means nationally. But that is what's known in international law as a > National Matter and isn't anyone else's business. Likewise, they may > well need to consult widely inside Russia before submitting a KSK for > .ru to the signed root, if that was in place. >
- Previous message (by thread): [dns-wg] root zone signing
- Next message (by thread): [dns-wg] Re: root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]