Dima, On Oct 20, 2008, at 1:54 PM, Dmitry Burkov wrote:
technically you are right - but you missed the point that with introducing one repository in one jurisdiction we will get a problem especially when software vendors will deploy new features.
So, you're arguing against DNSSEC as defined, not just signing the root. Apologies if I misunderstood.
you missed one point - lost of trust - it was one of the items that were practically unchanged for years and became defacto.
You appear to be asserting that {IANA,VeriSign,NTIA} doing something "bad" is somehow worse if it gets DNSSEC-signed. I don't get it. If {IANA,VeriSign,NTIA} does something that causes loss of trust, then trust is lost. The fact that the bad change can be verified by caching servers as accurate in such a case seems irrelevant to me.
During all last dicussions on internet governance it was one argues pro stability and practical independance - what we can say today?
That DNSSEC doesn't significantly change the trustworthy-ness of the data prior to it getting signed, but does ensure that that data, once signed, can be validated. No more and no less.
Sorry? What legal background are you talking about? It is enough easy - digital signatures based on concrete laws in different countries which are incompatible - please, check.
Sorry, still don't get it. All we're talking about here is providing an ability to detect data has been modified from the point where somebody (IANA, VeriSign, a third party) signs it to the validating resolver. No one to my knowledge is proposing there be a legally binding attestation that said data is accurate. I'm not even sure such an attestation would make sense even if somebody was trying to make it.
Hope you can understand me - that we should recognize national independance (sorry guys for this words - but I can't miss it).
Are you familiar with the colloquialism "trying to close the barn door after the horses have bolted"? In 1996, the US government unilaterally asserted it had the right/ responsibility to make these sorts of decisions. No (zero, none, nada) government complained at the time (much to my personal annoyance). Since then, processes have been worked out that allow for changes to be made with the US government acting only in an authorization role, presumably in order to prevent ICANN or VeriSign from running amok and destroying the Internet. Now, a dozen years later, the US Dept. of Commerce is asking for input on a set of scenarios that will allow for a sucking chest wound that has existed in the DNS since its creation to (eventually) be fixed. If you think DNSSEC is a bad idea, that's fine input to provide. If you think one scenario is better than another, saying so (and giving reasons) would be ideal. But saying DNSSEC-signing threatens national independence isn't likely going to help anything unless you can give concrete justification why you believe DNSSEC-signing has an impact one way or another. Regards, -drc