Jim Reid wrote: Jim, for me the issue - as I wrote in previous email to Joao - it is how it can be used in software in future. Depending on this - it can be critical. Second point - how it will be used for .arpa Third point (not related to DNS - sorry - but simular problem) - sidr and it's deployment. After that I want to remind that the political world is not hierarchical - and when we put something with legal background to technical implementation it will immediately raise political issues as it does not reflect reality. It seems me a problem even all of us have the best intentions. regards, Dima
On Oct 20, 2008, at 15:42, Dmitry Burkov wrote:
It also raises an old question about Internet governance and role of USG in this process as will enforce DoC position. Some people for years tried to explain root servers stability and practical independence from any one government now their arguments will fall down. In any of NTIA's proposed scheme it will be under one country regulation and if previously you can imagine partly functional ccTLDs even if zone was changed - now if signature will be invalid/recalled (don't know term in english) it will be more problematic.
Dima, these questions will always be raised. Even if nothing is ever done to the root. The point Joao made earlier still goes unanswered. With an unsigned root, all changes to add, remove or update data in the zone involve co-ordination with the DoC/NTIA. If/when the root is signed, all changes to the root zone will still involve co-ordination with the DoC/NTIA. So what's different?
When we begin to use digital signatures for infrastructure - may be, we miss the point that this tool is just a reflection of some real world relations and obligations and based on national laws and other lawyer stuff. Putting it on this part of the net we risk to involve all issues from real world.
I appreciate that some people will feel that legal agreements are an unavoidable consequence of signing. However that's a matter between the each TLD (and its government?) and those co-ordinating the root. There are no technical grounds for parent and child zones to have a legal agreement underpinning their use of DNSSEC. So if a TLD wants to have a signed delegation, they can do that with or without an agreement or anything that could be viewed as an acceptance of the way the root is managed today. If a TLD doesn't want to have a signed delegation, then they don't have to. Nobody's being compelled to do anything they don't want.
And as far as I can tell, nothing's being proposed that will compromise security or stability. Though there are obvious technical and operational concerns about where the key(s) get stored, how their managed and who's involved in that.
IMO, there's no "lawyer stuff" here. At least as far as signing the root is concerned. All that's happening is some TLD presents its KSK, IANA verifies that key and then causes a signature over that key to be generated. Which pretty much means that IANA is saying "we assert that this was the TLD KSK that we checked": nothing more.
Now there may well be lawyer stuff further down the tree. For instance suppose .ru is signed. I would expect that the .ru registry would have to consult the Russian government and Russian law about what that means nationally. But that is what's known in international law as a National Matter and isn't anyone else's business. Likewise, they may well need to consult widely inside Russia before submitting a KSK for .ru to the signed root, if that was in place.