On Oct 20, 2008, at 18:25, Dmitry Burkov wrote:
I hope that you remember laws of Murphy and Peter... or if it can happen it will happen and so on...
Indeed. But I worry about how those laws could be applied to the current insecure DNS. This is a much, much bigger danger than getting the root signed. What we've seen so far with cache poisoning attacks has been bad. And it will get worse. Meanwhile, we have a technology that works that can pretty much eliminate that problem. But it's blocked by layer-9 problems. So far. The NTIA NoI is at least a step forward to removing those obstacles.
When in our world services for citizens more and more depends on Internet - I really worry about principal changes in Internet architecture.
I agree. But I don't see signing the root like that. It will allow those TLDs who want to deploy DNSSEC to proceed without ugly hacks that probably won't help in the long run. But signing the root won't have any impact on the TLDs who don't want to sign their zone. Similarly, those who *use* DNSSEC will know what they're getting in to and take the appropriate decisions to mitigate those risks. Those who won't use DNSSEC will just carry on as if the root was never signed: they'll see no difference. Well, except from an increased exposure to security attacks predicated on DNS spoofing.
If before we defacto have a system which was depended on more techies - person and professional-based responsibility - in future we can get more automated system which will lose this previous basement and can become a weapon in hands of politicals.
Politicians and governments win out in the end. They always do. One of the questions for this WG (and others) to consider is how well the NTIA proposals accommodate the various conflicting demands from engineers, lawyers and politicians.