Bill, On Oct 15, 2008, at 8:05 AM, bmanning@vacation.karoshi.com wrote:
both ICANN and Verisign are claiming that placing all the zone creation, change and publication should be with the same organization that creates, hold and uses the digital signatures attesting to the integrity of the zone data.
in local parlance, this is the functional equivalence of the fox watching the hen house.
This is the kind of FUD that really annoys me. It is attributing some magical quality to zone signing that doesn't actually exist. In the ICANN-signs option, the only real change is that IANA would generate the (signed) zone, with VeriSign publishing the zone after authorization from DoC. In the VeriSign-signs option, the only real change is that VeriSign signs the zone after being authorized to make the zone changes by DoC. In both cases, all zone changes must be: a) vetted by IANA staff b) authorized by DoC c) published by VeriSign prior to getting out to the root servers. How _exactly_ does adding signing make this "the functional equivalen[t] of the fox watching the hen house"? Once more with feeling: the ONLY thing signing the root zone does is to allow for the contents of that zone to be validated. It hides no information. It provides no new mechanisms for subterfuge. Regards, -drc