[dns-wg] Re: root zone signing

Dima,

On Oct 20, 2008, at 1:54 PM, Dmitry Burkov wrote:
> technically you are right - but you  missed the point that with  
> introducing one repository in one jurisdiction we will get a problem  
> especially when software vendors will deploy new features.

So, you're arguing against DNSSEC as defined, not just signing the  
root.  Apologies if I misunderstood.

> you missed one point - lost of trust - it was one of the items that  
> were practically unchanged for years and became defacto.

You appear to be asserting that {IANA,VeriSign,NTIA} doing something  
"bad" is somehow worse if it gets DNSSEC-signed.  I don't get it.  If  
{IANA,VeriSign,NTIA} does something that causes loss of trust, then  
trust is lost.  The fact that the bad change can be verified by  
caching servers as accurate in such a case seems irrelevant to me.

> During all last dicussions on internet governance it was one argues  
> pro stability and practical independance  - what we can say today?

That DNSSEC doesn't significantly change the trustworthy-ness of the  
data prior to it getting signed, but does ensure that that data, once  
signed, can be validated.  No more and no less.

>> Sorry?  What legal background are you talking about?
> It is enough easy - digital signatures based on concrete laws in  
> different countries which are incompatible - please, check.

Sorry, still don't get it.  All we're talking about here is providing  
an ability to detect data has been modified from the point where  
somebody (IANA, VeriSign, a third party) signs it to the validating  
resolver.  No one to my knowledge is proposing there be a legally  
binding attestation that said data is accurate. I'm not even sure such  
an attestation would make sense even if somebody was trying to make it.

> Hope  you can understand me - that we should recognize national  
> independance (sorry guys for this words - but I can't  miss it).

Are you familiar with the colloquialism "trying to close the barn door  
after the horses have bolted"?

In 1996, the US government unilaterally asserted it had the right/ 
responsibility to make these sorts of decisions.  No (zero, none,  
nada) government complained at the time (much to my personal  
annoyance). Since then, processes have been worked out that allow for  
changes to be made with the US government acting only in an  
authorization role, presumably in order to prevent ICANN or VeriSign  
from running amok and destroying the Internet.  Now, a dozen years  
later, the US Dept. of Commerce is asking for input on a set of  
scenarios that will allow for a sucking chest wound that has existed  
in the DNS since its creation to (eventually) be fixed.  If you think  
DNSSEC is a bad idea, that's fine input to provide.  If you think one  
scenario is better than another, saying so (and giving reasons) would  
be ideal.  But saying DNSSEC-signing threatens national independence  
isn't likely going to help anything unless you can give concrete  
justification why you believe DNSSEC-signing has an impact one way or  
another.

Regards,
-drc