[dns-wg] Re: root zone signing
- Previous message (by thread): [dns-wg] Re: root zone signing
- Next message (by thread): [dns-wg] Re: root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dmitry Burkov
dburk at burkov.aha.ru
Mon Oct 20 22:54:00 CEST 2008
David Conrad wrote: > Dima, > > On Oct 20, 2008, at 9:55 AM, Dmitry Burkov wrote: >> for me the issue - as I wrote in previous email to Joao - it is how >> it can be used in software in future. > > As I'm sure you're aware, the only thing DNSSEC-signing the root does > is allow for validating resolvers to verify the data from the root > zone hasn't been modified from the point at which it was signed to the > point at which it is used by the validating resolver. If > {IANA,VeriSign,NTIA} were to do something "bad", the contents of the > root zone would be altered, regardless of whether the root zone were > signed. In order to avoid this badness, operators of caching servers > would need to modify their root hints to point to root servers serving > non-bad data or take other steps that mucked with the caching server's > configuration. If the root were DNSSEC-signed, the configuration > mucking would need to include changing the root trust anchor David, technically you are right - but you missed the point that with introducing one repository in one jurisdiction we will get a problem especially when software vendors will deploy new features. > > I don't see the significantly increased risk here by adding DNSSEC. David, you missed one point - lost of trust - it was one of the items that were practically unchanged for years and became defacto. During all last dicussions on internet governance it was one argues pro stability and practical independance - what we can say today? > >> After that I want to remind that the political world is not >> hierarchical - and when we put something with legal background to >> technical implementation it will immediately raise political issues >> as it does not reflect reality. > > Sorry? What legal background are you talking about? It is enough easy - digital signatures based on concrete laws in different countries which are incompatible - please, check. > > As for reflecting reality, I'm gathering what you're referencing is > the fact that the US government has an authorization role in root > management. First: none of the scenarios for DNSSEC-signing the root > changes this, so we'd be no better or worse off than we are now. > Second: lots of governments, many of which are in Europe, support the > US government having the role it does in root zone management. Given > this, I suspect it is unlikely there will be a change in roles for the > foreseeable future. It would be unfortunate if DNSSEC-signing the > root were held back because of this. For me the situation seems worse - it is just personal opinion - but I tried to express it - no more. It is not an argument that some countries support one country or even a lot of them - discussing this issue we are in different dimension when no one can dictate others. Hope you can understand me - that we should recognize national independance (sorry guys for this words - but I can't miss it). Sometimes, majority can mistaken. Unfortunately, we can't put this world in just our technocracy models... Dima > > Regards, > -drc >
- Previous message (by thread): [dns-wg] Re: root zone signing
- Next message (by thread): [dns-wg] Re: root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]