[dns-wg] Re: root zone signing
- Previous message (by thread): [dns-wg] Re: root zone signing
- Next message (by thread): [dns-wg] Re: root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dmitry Burkov
dburk at burkov.aha.ru
Mon Oct 20 22:54:00 CEST 2008
David Conrad wrote:
> Dima,
>
> On Oct 20, 2008, at 9:55 AM, Dmitry Burkov wrote:
>> for me the issue - as I wrote in previous email to Joao - it is how
>> it can be used in software in future.
>
> As I'm sure you're aware, the only thing DNSSEC-signing the root does
> is allow for validating resolvers to verify the data from the root
> zone hasn't been modified from the point at which it was signed to the
> point at which it is used by the validating resolver. If
> {IANA,VeriSign,NTIA} were to do something "bad", the contents of the
> root zone would be altered, regardless of whether the root zone were
> signed. In order to avoid this badness, operators of caching servers
> would need to modify their root hints to point to root servers serving
> non-bad data or take other steps that mucked with the caching server's
> configuration. If the root were DNSSEC-signed, the configuration
> mucking would need to include changing the root trust anchor
David,
technically you are right - but you missed the point that with
introducing one repository in one jurisdiction we will get a problem
especially when
software vendors will deploy new features.
>
> I don't see the significantly increased risk here by adding DNSSEC.
David,
you missed one point - lost of trust - it was one of the items that were
practically unchanged for years and became defacto.
During all last dicussions on internet governance it was one argues pro
stability and practical independance - what we can say today?
>
>> After that I want to remind that the political world is not
>> hierarchical - and when we put something with legal background to
>> technical implementation it will immediately raise political issues
>> as it does not reflect reality.
>
> Sorry? What legal background are you talking about?
It is enough easy - digital signatures based on concrete laws in
different countries which are incompatible - please, check.
>
> As for reflecting reality, I'm gathering what you're referencing is
> the fact that the US government has an authorization role in root
> management. First: none of the scenarios for DNSSEC-signing the root
> changes this, so we'd be no better or worse off than we are now.
> Second: lots of governments, many of which are in Europe, support the
> US government having the role it does in root zone management. Given
> this, I suspect it is unlikely there will be a change in roles for the
> foreseeable future. It would be unfortunate if DNSSEC-signing the
> root were held back because of this.
For me the situation seems worse - it is just personal opinion - but I
tried to express it - no more.
It is not an argument that some countries support one country or even a
lot of them -
discussing this issue we are in different dimension when no one can
dictate others.
Hope you can understand me - that we should recognize national
independance (sorry guys for this words - but I can't miss it).
Sometimes, majority can mistaken.
Unfortunately, we can't put this world in just our technocracy models...
Dima
>
> Regards,
> -drc
>
- Previous message (by thread): [dns-wg] Re: root zone signing
- Next message (by thread): [dns-wg] Re: root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]