[dns-wg] root zone signing

On Oct 20, 2008, at 15:42, Dmitry Burkov wrote:

> It also raises an old question about Internet governance and role of  
> USG in this process as will enforce DoC position.
> Some people for years tried to explain root servers stability and  
> practical independence from any one government now their arguments  
> will fall down.
> In any of NTIA's proposed scheme it will be under one country  
> regulation and if previously you can imagine partly functional  
> ccTLDs even if zone was changed -
> now if signature will be invalid/recalled (don't know term in  
> english) it will be more problematic.

Dima, these questions will always be raised. Even if nothing is ever  
done to the root. The point Joao made earlier still goes unanswered.  
With an unsigned root, all changes to add, remove or update data in  
the zone involve co-ordination with the DoC/NTIA. If/when the root is  
signed, all changes to the root zone will still involve co-ordination  
with the DoC/NTIA. So what's different?

> When we begin to use digital signatures for infrastructure - may be,  
> we miss the point that this tool is just a reflection of some real  
> world
> relations and obligations and based on national laws and other  
> lawyer stuff.
> Putting it on this part of the net we risk to involve all issues  
> from real world.

I appreciate that some people will feel that legal agreements are an  
unavoidable consequence of signing. However that's a matter between  
the each TLD (and its government?) and those co-ordinating the root.  
There are no technical grounds for parent and child zones to have a  
legal agreement underpinning their use of DNSSEC. So if a TLD wants to  
have a signed delegation, they can do that with or without an  
agreement or anything that could be viewed as an acceptance of the way  
the root is managed today. If a TLD doesn't want to have a signed  
delegation, then they don't have to. Nobody's being compelled to do  
anything they don't want.

And as far as I can tell, nothing's being proposed that will  
compromise security or stability. Though there are obvious technical  
and operational concerns about where the key(s) get stored, how their  
managed and who's involved in that.

IMO, there's no "lawyer stuff" here. At least as far as signing the  
root is concerned. All that's happening is some TLD presents its KSK,  
IANA verifies that key and then causes a signature over that key to be  
generated. Which pretty much means that IANA is saying "we assert that  
this was the TLD KSK that we checked": nothing more.

Now there may well be lawyer stuff further down the tree. For instance  
suppose .ru is signed. I would expect that the .ru registry would have  
to consult the Russian government and Russian law about what that  
means nationally. But that is what's known in international law as a  
National Matter and isn't anyone else's business. Likewise, they may  
well need to consult widely inside Russia before submitting a KSK  
for .ru to the signed root, if that was in place.