IGP Blog :: Former Principal Scientist at VeriSign blasts US control of DNSSEC root signing

Get IGP via RSS

Get IGP via Email

Follow IGP on Twitter

Twitter updates

Recent Comments

Re: Re: New domain name restrictions in China

Re: Ruling the Root part II: RPKI and the IP address space

Re: Emerging Threats to Internet Security: Incentives, Externalities and Policy Implications

Re: The IGF and the Internet Society-ITU rivalry

Re: Ruling the Root part II: RPKI and the IP address space

Month Archive

August 2009
July 2009
June 2009
May 2009
April 2009

Year Archive

2010
2009
2008
2007
2006
2005

Main Page

Previous:	Will Rod Beckstrom replace Twomey?
Next:	Ex parte communications: for everyone, except us say governments

Former Principal Scientist at VeriSign blasts US control of DNSSEC root signing

by Brenden Kuerbis on Fri 12 Jun 2009 03:18 PM EDT | Permanent Link |

Phillip Hallam-Baker, an Internet security pioneer and most recently Principal Scientist at VeriSign, has criticized current DNSSEC root signing arrangements in his comments to the Dept of Commerce as a "profoundly destabilizing technology" for the Internet.

Recognizing that "ICANN represents the only viable mechanism for coordination and control of the Internet" and identifying the political tensions that could emerge surrounding USG oversight of the DNS root, Hallam-Baker explains how the current ability to, if necessary, reroute root servers to a different DNS provides an "opportunity of exit" for other governments. He argues this possibility is a "safety valve that keeps ICANN and US control of ICANN in check."

According to Hallam-Baker, the "technical measures to prevent malicious redirection of the DNS root described in the current iteration of DNSSEC would "foreclose this possibility of exit" and "tilt the balance of technical control even further in the direction of ICANN and US administration. This is clear cause of concern for French, Russian, Chinese, Egyptian, and Brazilian participants in ICANN and almost certainly explains at least part of the resistance to DNSSEC deployment."

Just last week the NTIA announced it had reached "agreement" with ICANN and Verisign to sign the root by the end of the 2009. Details are still emerging, but according to ICANN, "VeriSign will have operational responsibility for the zone signing key and ICANN will manage the key signing process." Questions also remain about the NTIA negotiated solution being "opt-in" for ccTLD operators and root server operators.

In addition to recommending re-specifying ICANN's objectives, developing technical infrastructure to enable competition within the .com zone, and restructuring the conflicted ISOC management of the .org, Hallam-Baker recommends that NTIA "require that ICANN propose a technical solution for signing the DNS root zone that is endorsed by a clear majority of the national stakeholders."

Keywords: USG, root, NTIA, ICANN, DNSSEC

Posted to:

Main Page

Comments

Post a comment

Re: Former Principal Scientist at VeriSign blasts US control of DNSSEC root signing

by Anonymous on Fri 12 Jun 2009 04:29 PM EDT | Permanent Link

How to make a news item without any added value!

Re: Re: Former Principal Scientist at VeriSign blasts US control of DNSSEC root signing

by Brenden Kuerbis on Mon 15 Jun 2009 10:29 AM EDT | Profile | Permanent Link

True, Hallam-Baker has expressed a similar viewpoint previously, but not in an official proceeding. He actually has proposed some interesting (and IIRC, new) ideas about how the DNS root could be signed and verified by multiple parties on the IETF discuss list: http://article.gmane.org/gmane.ietf.general/35650

Re: Former Principal Scientist at VeriSign blasts US control of DNSSEC root signing

by Anonymous on Fri 12 Jun 2009 04:41 PM EDT | Permanent Link

One of the shocking trends for .COM owners is that people attending the ICANN meetings have LESS and LESS clue. Even the growing ICANN Staff has LESS clue.

Someone recently held a private meeting in Washington, D.C. and ICANN sent 3 Staffers. NONE of the people had more than 12 months experience at ICANN. NONE of the people knew anything about the history of ICANN and the major issues.

If Verisign is going to survive a .COM re-bid and continue to attempt to retain the loyalty of .COM owners, they better consider hosting some .COM meetings. Experts from Verisign and the .COM community could then work out better ways to provide more security and stability of the .COM zone.

ICANN can then go off and trot around the world putting on .DOG and .PONY shows for ccTLDs.
That will continue to give ICANN that international flavor of the Internation Olympic Committee. When those ICANN limos roll into the next venue with all those ccTLD flags flying from the fenders, the masses will stand in awe.

Back at the ranch, Verisign can stick to business and keep the .COM platform running and improving.
There are many changes coming and only the .COM community will be able to understand them and pay for them. Not even the wealthy .ORG society will be able to participate. Clue is required.

Re: Re: Former Principal Scientist at VeriSign blasts US control of DNSSEC root signing

by Anonymous on Fri 12 Jun 2009 05:06 PM EDT | Permanent Link

All ccTLDs are Not Countries - Unless LA is Now a Country

The ICANN Double Standard in Full Glory

http://blog.icann.org/2009/06/growing-pains-and-the-gandi-survey/#comment-17790

"Provided below are examples of churches, schools, businesses, a club, and even a university that have embraced the concept of a DOT-City TLD via the DOT-LA. The DOT-LA domain space is a ccTLD that is currently being marketed under a long-term lease as a DOT-City TLD to the residents and businesses of the Los Angeles Metropolitan Area."

Re: Re: Re: Former Principal Scientist at VeriSign blasts US control of DNSSEC root signing

by Anonymous on Wed 22 Jul 2009 06:41 AM EDT | Permanent Link

LA is the country code for Laos. .la is the ccTLD for Laos.

Trackbacks

TrackBack URL:
http://blog.internetgovernance.org/blog/_trackback/4220065

No trackbacks found.

Post comment:

Format Type:
	Convert newlines
	Receive comment notifications for this article
Subject:

Comment:

Comment verification:

Please enter the text you see inside the graphic to post your comment:

You are not currently logged in. If you would like your user information to be displayed with your comment, please enter your login information below.

Username:
Password:

If you would like to post contact information on your comment, please enter your information into the optional fields below:

Contact information:

Name:
URL:		example: http://yourdomain.com
Email:

Please note: email will not be displayed on the site, only for the blog owner. If logged in, URL will only be used.

Help support our work

Make a secure, tax deductible donation online today.

What we're reading

Internet Governance News

Upcoming Events

View all Events

Who's Reading IGP Blog?

Wowzio

grab this · technology blog