Re: [dns-wg] Re: ORSN-SERVERS.NET
At 21:57 24/10/2004, Jay Daley wrote:
Markus Markus wrote on 22/10/2004 12:26:13 pm:
We are only the european (independent) copy of the stable ICANN root server system :-))
I really do not understand this. How are you in anyway more independent than k-root or i-root?
Jay, I will try to review this key point for the internet development. what ORSN does is risk containment. Suppose the ICANN/NTIA root is hacked. The ORSN file is not affected. This provides a protection. Now, obviously, if the delay in updating the ORSN file is too long it is going to pollute the namespace with old data. This is why trouble shouting calls for a report on possible differences. Such report must be taken both ways: - a way to know that ORSN is outdated - an alarm that the ICANN/NTIA root may be hacked. This kind of issue has been identified by the dot-root project of a DNS test bed we carried last years. This has lead us to work on local roots concepts and eventually on the authoritative root matrix (which is not documented, but implemented in reality through the additional name servers entered in the top level through ccTLD db.files for example). This also lead to the AFRAC project (http://afrac.org) to unlock root files (like the ICANN/NTIA root file) as this is true for any other application root file, through contextual root files for what we named "externets" (ie an external global view of the internet). For example, a Japanese externet can be all the users and hosts which freely chose to belong to it. End to end relations may then be limited to these externet members (only people able to read Japanese). You can belong to many externets. In the case of a nation, we identified that a national externet is a regalian duty. What does that mean? It means that many things may happen which affect your sure national use of the DNS. In 99.99% of the case that you use an US, a French, an European or a East-Timor root server is the same. But in critical occasions you will want to use a nameserver which will follow the rules which protect your skin. We developed this kind of thinking in parallel to the White House - we proposed ICANN to work on an "ICP-4" document on netsecurity in December 2001 at the DNSO/BC with a few large operators and corporations,. We then introduced the dot-root project to work on this along the lines of the ICP-3 document which investigates the possible end of an authoritative file and defines the conditions for test bedding we stick to [we added a few]). The White House (Dick Clarke) worked along the same lines after 9/11 and came with a very powerful evaluation showing that the internet represented a nuclear equivalent risk to the USA through the vulnerability of critical infrastructures and the impact on the US economy and way of life of a major dysfunction. We could measure it through the impact of the East Coast Black Out - should it have happened in Feb blizzard, the impact would have been devastating. This eventually lead to the http://whitehouse.gov/pcipb national strategy, the first visible impact we all know is the DoD IPv6 commitment. Let imagine that a terrorist atomic bomb blows Washington-West (the top worldwide target and an US working hypothesis). The propagation through the internet would be times devastating than the bomb itself on the USA. Regalian US duty will be to reserve most of the remaining internet bandwidth to civil security information and economy protection. P2P, adult, etc. traffic will not be a priority. The DNS is the control tool. We do not want to suffer from that in Europe or in the rest of the world, because there is no reason and because it would propagate the terror (and make the attempt more attractive and therefore more likely). So an European regalian duty is DNS risk containment, to protect us from the results of an attack of the US and to protect the US from being attacked. This is a very common strategy in network security. This means that every Gov has a regalian duty, not to load the ICANN/NTIA file, but to copy it like ORSN does. This copying must be carried with a take-over procedure to cope with a special national situation. A critical problem may be local. Or there may be an external attack. Let for example consider the Iraq invasion and the ".iq" management. The USA attacked ".iq" through spam DoS and lead Iraq to stop all their servers. An Iraqi externet would have made the Iraqi machine to switch to the Iraqi root they could have build the way they wanted (this same externet reasoning applies to IPv6 addresses and national numbering zones we support and document for years and the ITU now openly investigates - please remember that ITU is not an "internet opponent" but the Rep of regalian concerns). A very common hypothesis is a "Tchernobyl" like incident. TV waves pollution will make ADSL screens the best way to inform and calm the people through stable screams, with a major user demand peak. The control of the DNS would be vital. Another interesting point is that published reports are that only 2.5% of the root calls are legitimate, addressing based externets are a way to protect users at peak critical times. Their support in IPv6 numbering plan is a regalian demand that we should see develop in the coming months. It is also a network security issue to avoid pollution of the DNS in such cases. Obviously this is not the only resulting user architectural changes implied by the ICANN ICP-3 and WSIS real world consequences, as some mails documented it about DNS database usages. jfc morfin
Jefsey I have read this message several times and I still do not understand it. I have an eerie feeling that we might live in parallel universes. However, I have attempted a sensible reply. "JFC (Jefsey) Morfin" <jefsey@jefsey.com> wrote on 28/10/2004 13:21:23:
Jay, I will try to review this key point for the internet development.
what ORSN does is risk containment. Suppose the ICANN/NTIA root is
The ORSN file is not affected. This provides a protection. Now, obviously, if the delay in updating the ORSN file is too long it is going to
hacked. pollute
the namespace with old data. This is why trouble shouting calls for a report on possible differences. Such report must be taken both ways: - a way to know that ORSN is outdated - an alarm that the ICANN/NTIA root may be hacked.
This is plain nonsense. Are you saying that ORSN examines any changes made in the root zone by hand and then contact the TLD manager to make sure those changes were correct? If not then how does anyone know if it has been hacked?
This kind of issue has been identified by the dot-root project of a DNS test bed we carried last years. This has lead us to work on local roots concepts and eventually on the authoritative root matrix (which is not documented, but implemented in reality through the additional name
servers
entered in the top level through ccTLD db.files for example).
Are you saying there is a whole group of ccTLDs who have added ORSN to their configs? If so then who?
This also lead to the AFRAC project (http://afrac.org) to unlock root
files
(like the ICANN/NTIA root file) as this is true for any other application root file, through contextual root files for what we named "externets" (ie an external global view of the internet). For example, a Japanese externet can be all the users and hosts which freely chose to belong to it. End to end relations may then be limited to these externet members (only people
able to read Japanese). You can belong to many externets. In the case of a nation, we identified that a national externet is a regalian duty.
I have looked up regalian in the dictionary and I am completely lost. What do you think it means?
What does that mean?
It means that many things may happen which affect your sure national use
of
the DNS. In 99.99% of the case that you use an US, a French, an European or a East-Timor root server is the same. But in critical occasions you will
want to use a nameserver which will follow the rules which protect your skin.
What rules would they be?
We developed this kind of thinking in parallel to the White House - [weird stuff snipped] This eventually lead to the http://whitehouse.gov/pcipb national strategy, the first visible impact we all know is the DoD IPv6 commitment.
This is all extremely odd. Can you point me to a particular page in that huge mass of documents that has some direct relevance to ORSN?
[really weird stuff snipped]
This means that every Gov has a regalian duty, not to load the
ICANN/NTIA
file, but to copy it like ORSN does. This copying must be carried with a
take-over procedure to cope with a special national situation. A critical problem may be local.
What is the difference between a copy and a copy (sorry loading)?
[more weird stuff snipped]
Jay
Jefsey I have read this message several times and I still do not understand it. I have an eerie feeling that we might live in parallel universes. However, I have attempted a sensible reply. "JFC (Jefsey) Morfin" <jefsey@jefsey.com> wrote on 28/10/2004 13:21:23:
Jay, I will try to review this key point for the internet development.
what ORSN does is risk containment. Suppose the ICANN/NTIA root is
The ORSN file is not affected. This provides a protection. Now, obviously, if the delay in updating the ORSN file is too long it is going to
hacked. pollute
the namespace with old data. This is why trouble shouting calls for a report on possible differences. Such report must be taken both ways: - a way to know that ORSN is outdated - an alarm that the ICANN/NTIA root may be hacked.
This is plain nonsense. Are you saying that ORSN examines any changes made in the root zone by hand and then contact the TLD manager to make sure those changes were correct? If not then how does anyone know if it has been hacked?
This kind of issue has been identified by the dot-root project of a DNS test bed we carried last years. This has lead us to work on local roots concepts and eventually on the authoritative root matrix (which is not documented, but implemented in reality through the additional name
servers
entered in the top level through ccTLD db.files for example).
Are you saying there is a whole group of ccTLDs who have added ORSN to their configs? If so then who?
This also lead to the AFRAC project (http://afrac.org) to unlock root
files
(like the ICANN/NTIA root file) as this is true for any other application root file, through contextual root files for what we named "externets" (ie an external global view of the internet). For example, a Japanese externet can be all the users and hosts which freely chose to belong to it. End to end relations may then be limited to these externet members (only people
able to read Japanese). You can belong to many externets. In the case of a nation, we identified that a national externet is a regalian duty.
I have looked up regalian in the dictionary and I am completely lost. What do you think it means?
What does that mean?
It means that many things may happen which affect your sure national use
of
the DNS. In 99.99% of the case that you use an US, a French, an European or a East-Timor root server is the same. But in critical occasions you will
want to use a nameserver which will follow the rules which protect your skin.
What rules would they be?
We developed this kind of thinking in parallel to the White House - [weird stuff snipped] This eventually lead to the http://whitehouse.gov/pcipb national strategy, the first visible impact we all know is the DoD IPv6 commitment.
This is all extremely odd. Can you point me to a particular page in that huge mass of documents that has some direct relevance to ORSN?
[really weird stuff snipped]
This means that every Gov has a regalian duty, not to load the
ICANN/NTIA
file, but to copy it like ORSN does. This copying must be carried with a
take-over procedure to cope with a special national situation. A critical problem may be local.
What is the difference between a copy and a copy (sorry loading)?
[more weird stuff snipped]
Jay
On Thu, Oct 28, 2004 at 05:53:59PM +0100, Jay Daley <td@nominet.org.uk> wrote a message of 99 lines which said:
nation, we identified that a national externet is a regalian duty.
I have looked up regalian in the dictionary and I am completely lost. What do you think it means?
Webster: Regalian \Re*ga"li*an\ (-an), a. Pertaining to regalia; pertaining to the royal insignia or prerogatives. --Hallam. It means it is a duty of the Governement / State to manage a "national externet" (a concept which is much fuzzier than "regalian duty").
it would be kind if you alternate root folk would take your discussion over to an alternate list in an alternate universe. we're trying to operate the real internet, and that's hard enough. randy
On Thursday 28 October 2004 18:24, Randy Bush wrote:
it would be kind if you alternate root folk would take your discussion over to an alternate list in an alternate universe. we're trying to operate the real internet, and that's hard enough.
Maybe I'm thick, but I still don't get it. What is the advantage of ORSN over the ICANN root ? Jon
participants (6)
-
Jay Daley -
Jay Daley -
JFC (Jefsey) Morfin -
Jon Lawrence -
Randy Bush -
Stephane Bortzmeyer