David Conrad wrote:
Dima,
On Oct 20, 2008, at 9:55 AM, Dmitry Burkov wrote:
for me the issue - as I wrote in previous email to Joao - it is how it can be used in software in future.
As I'm sure you're aware, the only thing DNSSEC-signing the root does is allow for validating resolvers to verify the data from the root zone hasn't been modified from the point at which it was signed to the point at which it is used by the validating resolver. If {IANA,VeriSign,NTIA} were to do something "bad", the contents of the root zone would be altered, regardless of whether the root zone were signed. In order to avoid this badness, operators of caching servers would need to modify their root hints to point to root servers serving non-bad data or take other steps that mucked with the caching server's configuration. If the root were DNSSEC-signed, the configuration mucking would need to include changing the root trust anchor
David, technically you are right - but you missed the point that with introducing one repository in one jurisdiction we will get a problem especially when software vendors will deploy new features.
I don't see the significantly increased risk here by adding DNSSEC.
David, you missed one point - lost of trust - it was one of the items that were practically unchanged for years and became defacto. During all last dicussions on internet governance it was one argues pro stability and practical independance - what we can say today?
After that I want to remind that the political world is not hierarchical - and when we put something with legal background to technical implementation it will immediately raise political issues as it does not reflect reality.
Sorry? What legal background are you talking about?
It is enough easy - digital signatures based on concrete laws in different countries which are incompatible - please, check.
As for reflecting reality, I'm gathering what you're referencing is the fact that the US government has an authorization role in root management. First: none of the scenarios for DNSSEC-signing the root changes this, so we'd be no better or worse off than we are now. Second: lots of governments, many of which are in Europe, support the US government having the role it does in root zone management. Given this, I suspect it is unlikely there will be a change in roles for the foreseeable future. It would be unfortunate if DNSSEC-signing the root were held back because of this.
For me the situation seems worse - it is just personal opinion - but I tried to express it - no more. It is not an argument that some countries support one country or even a lot of them - discussing this issue we are in different dimension when no one can dictate others. Hope you can understand me - that we should recognize national independance (sorry guys for this words - but I can't miss it). Sometimes, majority can mistaken. Unfortunately, we can't put this world in just our technocracy models... Dima
Regards, -drc