First it was China, experimenting with its own special DNS name space and its own Great cyber-Wall to guard what content can and cannot enter the country. Now, Putin's Russia is said to be planning to give it a try. From IGP's extensive network of spies in Moscow (well, ok, it's actually from a two month-old Russian newspaper), we learn that the Security Council of the Russian Federation has declared that Russia will create its own Web, in Cyrillic, "completely independent from the traditional WWW." Several reasons were cited for the creation of an independent network. One was -- surprise -- "information safety and security." The newspaper writes: "Today it is a matter of fact that Russian users are accessing the internet via channels which are in the control of the US government."   more »

Our 9 September blog post on DNSSEC has generated significant attention. It is gratifying to see DNS experts like Patrik Faltstrom respond. Not so gratifying is that Patrik's response reveals that even technical experts in DNS can fail to understand the governance implications of the technologies they work with daily. This has been a longstanding problem in the Internet technical community.

Patrik thinks that we have simply misunderstood DNSSEC. He writes: "Milton mixes up a number of things, and do ignore completely the downside of the proposal he makes." In fact, it is not I, Milton Mueller, who wrote that blog post about DNSSEC. It was Phillip Hallam-Baker of VeriSign, an acknowledged technical expert in the field. And no "proposal" was made in the blog post, merely a quotation of Hallam-Baker's comment on the IETF list. So let's set the record straight.

What is Patrik Faltstrom saying? In a nutshell, his argument is that DNS is "strictly hierarchical" and what matters for policy purposes is who controls the content of the root zone file. DNSSEC, he claims, is simply a process for digitally signing the root zone file once you have it, and thus adds no political implications outside of who determines the content.

This response is disappointing, because it shows that Patrik has completely missed the point of Hallam-Baker's argument. He simply didn't get it.

I am sure that Hallam-Baker understands that the content of the root zone is the most politically important and sensitive matter, as does everyone at IGP. But Hallam-Baker pointed out that if there are political disagreements over what goes into the root zone, then the presence of DNSSEC makes a big difference. In an unsigned DNS, there is no technical compatibility issue binding anyone to any given supplier of the root zone file. If you don't like the ICANN root, you can fairly easily move to another one. Just redirect your nameservers. If everyone else, or at least a critical mass of the world's ISPs and nameservers, move to the same, coordinated root at about the same time, you lose nothing. As Hallam-Baker put it, the current root has "authority but no power."

That all changes with DNSSEC. Once the root is signed, the root will be defined by the knowledge of the private key corresponding to the widely distributed embedded public key. Any attempt to move raises much higher coordination hurdles. As -HallamBaker put it, "If the root is signed by a unitary entity, that entity has absolute power. A defection cannot be countered by a fracture of the root."

That is the point, my friend Patrik. Your responses have not taken Hallam-Baker's argument into consideration at all, and thus are irrelevant. We would welcome your comments about that issue. And please keep in mind that your argument is not with me, it is with Phillip Hallam-Baker.

We republish below an astounding post by VeriSign's DNS expert, Dr. Phillip Hallam-Baker, made on the IETF list. In it, he incisively describes the political implications of signing the root using DNSSEC, something we at IGP have been trying to do for about a year now. He also calls for sharing the signing authority, as IGP has also been doing. When we do this, we are sometimes accused of needlessly "politicizing" the issue. Wonder what they'll say now. Let's put Hallam-Baker on that IGF panel on "critical Internet resources" maybe, and see if his candor survives the glare of publicity?

- Begin post -
Subject: RE: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt
From: "Hallam-Baker, Phillip"
Date: Thu, 30 Aug 2007 05:04:33 -0700

I think that some folk besides myself have to do some wargaming to consider what the political consequences of signing the root might be. Consider that this is an infrastructure which needs to be robust over a timescale of several decades if not centuries. Consider also the likelihood that whoever is in charge of the root might perform an action that some party might consider a defection over such an extended timescale.

For example, a small but vocal group of voters in the western southern peninsular of state A consider themselves to be political exiles from state B, an island in the vicinity of the peninsular. State A has a particular position of influence over the root and said voters lobby for the exclusion of state B. If such a thing were to happen today the result would be a temporary fracture of the root followed by the rapid emergence of an alternative root structure that was not subject to abusive influence from state A. The parties have authority but not power. If the root is signed by a unitary entity, that entity has absolute power. A defection cannot be countered by a fracture of the root. Today scope for defection is kept in balance by the lack of security. The root is ultimately defined by the location to which a particular network provider directs UDP packets with the root server IP address. After signing the root will be defined by the knowledge of the private key corresponding to the widely distributed embedded public key.

Consider the fact that Europe is currently planning to duplicate the GPS satelite system at a cost of several billion dollars despite the fact that the sole point in doing so is to prevent a similar defection on the part of the US. The idea that control of the DNS root will not be subjected to even more considerable geo-political pressure is naïve. In 1995 deployment could have taken place without attracting undue attention, that is not the case today.

So no, I don't think that there will be a unitary signer. The architecture is inherently flawed. Rather than have a single party sign the root we should probably look to a situation where there are multiple signer entities.
- End post -