[dns-wg] Re: root zone signing

David Conrad wrote:
> Dima,
>
> On Oct 20, 2008, at 9:55 AM, Dmitry Burkov wrote:
>> for me the issue - as I wrote in previous email to Joao - it is how 
>> it can be used in software in future.
>
> As I'm sure you're aware, the only thing DNSSEC-signing the root does 
> is allow for validating resolvers to verify the data from the root 
> zone hasn't been modified from the point at which it was signed to the 
> point at which it is used by the validating resolver.  If 
> {IANA,VeriSign,NTIA} were to do something "bad", the contents of the 
> root zone would be altered, regardless of whether the root zone were 
> signed.  In order to avoid this badness, operators of caching servers 
> would need to modify their root hints to point to root servers serving 
> non-bad data or take other steps that mucked with the caching server's 
> configuration.  If the root were DNSSEC-signed, the configuration 
> mucking would need to include changing the root trust anchor

David,
technically you are right - but you  missed the point that with 
introducing one repository in one jurisdiction we will get a problem 
especially when
software vendors will deploy new features.

>
> I don't see the significantly increased risk here by adding DNSSEC.
David,
you missed one point - lost of trust - it was one of the items that were 
practically unchanged for years and became defacto.
During all last dicussions on internet governance it was one argues pro 
stability and practical independance  - what we can say today?

>
>> After that I want to remind that the political world is not 
>> hierarchical - and when we put something with legal background to 
>> technical implementation it will immediately raise political issues 
>> as it does not reflect reality.
>
> Sorry?  What legal background are you talking about?

It is enough easy - digital signatures based on concrete laws in 
different countries which are incompatible - please, check.

>
> As for reflecting reality, I'm gathering what you're referencing is 
> the fact that the US government has an authorization role in root 
> management.  First: none of the scenarios for DNSSEC-signing the root 
> changes this, so we'd be no better or worse off than we are now.  
> Second: lots of governments, many of which are in Europe, support the 
> US government having the role it does in root zone management.  Given 
> this, I suspect it is unlikely there will be a change in roles for the 
> foreseeable future.  It would be unfortunate if DNSSEC-signing the 
> root were held back because of this.

For me the situation seems worse - it is just personal opinion - but I 
tried to express it  - no more.
It is not an argument that some countries support one country or even a 
lot of them -
discussing this issue we are in different dimension when no one can 
dictate others.
Hope  you can understand me - that we should recognize national 
independance (sorry guys for this words - but I can't  miss it).
Sometimes, majority can mistaken.
Unfortunately, we can't put this world in just our technocracy models...

Dima


>
> Regards,
> -drc
>