[dns-wg] Re: root zone signing

Jim Reid wrote:
> On Oct 20, 2008, at 18:25, Dmitry Burkov wrote:
>
>> I hope that you remember laws of Murphy and Peter... or if it can 
>> happen it will happen and so on...
>
> Indeed. But I worry about how those laws could be applied to the 
> current insecure DNS. This is a much, much bigger danger than getting 
> the root signed. What we've seen so far with cache poisoning attacks 
> has been bad. And it will get worse. Meanwhile, we have a technology 
> that works  that can pretty much eliminate that problem. But it's 
> blocked by layer-9 problems. So far. The NTIA NoI is at least a step 
> forward to removing those obstacles.

Jim,
imagine different appoach/view - that signed root can be more dangerous 
(potentially) for some countries then unsigned. Do you really believe in
best intentions of some governements as they expressed their itentions 
during last few months.
I can only repeat that as engineer I understood you and - to be honest 
will try to do the same in idealistic world.
But as I live here - on the earth - I will try escape potential problems 
before it create a real problems.
For me - it seems - we should openly discuss potential consequences for 
countries as we will introduce this tools.
 
I heard a lot of opinions that it is just a technical issue - and that 
it is wrong to discuss it in political context.
I hope that it is just an misunderstanding - and guys can understand 
that this small and long expected change can have different meaning then 
they expect before.




>
>> When in our world services for citizens more and more depends on 
>> Internet - I really worry about principal changes in Internet 
>> architecture.
>
> I agree. But I don't see signing the root like that. It will allow 
> those TLDs who want to deploy DNSSEC to proceed without ugly hacks 
> that probably won't help in the long run. But signing the root won't 
> have any impact on the TLDs who don't want to sign their zone. 
> Similarly, those who *use* DNSSEC will know what they're getting in to 
> and take the appropriate decisions to mitigate those risks. Those who 
> won't use DNSSEC will just carry on as if the root was never signed: 
> they'll see no difference. Well, except from an increased exposure to 
> security attacks predicated on DNS spoofing. 
The problem will be in future software development from one side - the 
second - and may be more important that we will enforce word to split on 
a camps.
I am really don't want it - and it is a key point for me.
>
>> If before we defacto have a system which was depended on more techies 
>> - person and professional-based responsibility - in future we can get 
>> more automated
>> system which will lose this previous basement and can become a weapon 
>> in hands of politicals.
>
>
> Politicians and governments win out in the end. They always do. One of 
> the questions for this WG (and others) to consider is how well the 
> NTIA proposals accommodate the various conflicting demands from 
> engineers, lawyers and politicians.
for me - it is a way to hell.

thanks,
Dima