[dns-wg] Re: root zone signing

On Oct 20, 2008, at 18:25, Dmitry Burkov wrote:

> I hope that you remember laws of Murphy and Peter... or if it can  
> happen it will happen and so on...

Indeed. But I worry about how those laws could be applied to the  
current insecure DNS. This is a much, much bigger danger than getting  
the root signed. What we've seen so far with cache poisoning attacks  
has been bad. And it will get worse. Meanwhile, we have a technology  
that works that can pretty much eliminate that problem. But it's  
blocked by layer-9 problems. So far. The NTIA NoI is at least a step  
forward to removing those obstacles.

> When in our world services for citizens more and more depends on  
> Internet - I really worry about principal changes in Internet  
> architecture.

I agree. But I don't see signing the root like that. It will allow  
those TLDs who want to deploy DNSSEC to proceed without ugly hacks  
that probably won't help in the long run. But signing the root won't  
have any impact on the TLDs who don't want to sign their zone.  
Similarly, those who *use* DNSSEC will know what they're getting in to  
and take the appropriate decisions to mitigate those risks. Those who  
won't use DNSSEC will just carry on as if the root was never signed:  
they'll see no difference. Well, except from an increased exposure to  
security attacks predicated on DNS spoofing.

> If before we defacto have a system which was depended on more  
> techies - person and professional-based responsibility - in future  
> we can get more automated
> system which will lose this previous basement and can become a  
> weapon in hands of politicals.


Politicians and governments win out in the end. They always do. One of  
the questions for this WG (and others) to consider is how well the  
NTIA proposals accommodate the various conflicting demands from  
engineers, lawyers and politicians.