To the IETF mailing list subscribers:

The US government involvement in DNSSEC operations is almost certainly not in-scope for the ietf mailing list. Thus, it would be counterproductive to start a discussion based on Mr. Baptista comments on this topic (hence no in-line comments in the original message below).

However, the question remains: which forum, if any, is appropriate for a discussion? I don't have the answer, so I merely share the following observations.

A) ICANN was specifically requested to abstain from public consultations about its proposal to deploy DNSSEC at the root. This is in a letter from US Department of Commerce to ICANN, ref http://www.icann.org/correspondence/baker-to-twomey-09sep08.pdf (filed among other documents in http://www.icann.org/correspondence/ ).

B) The US Department of Commerce issued a public comment notice (the deadline is now past), see http://www.ntia.doc.gov/DNS/DNSSEC.html . This forum has been used by Mr. Baptista. I was favourably impressed by the material written by NTIA staff (and published in the Federal Register), so I would recommend this reading (at http://www.ntia.doc.gov/frnotices/2008/FR_DNSSEC_081009.pdf ). However, this "forum" is not really interactive.

C) Some other forums on which DNSSEC protocol and operational aspects are discussed frequently avoid and/or terminate discussions about US government involvement in DNSSEC operations for the DNS root. I do not blame their moderator or anybody else, I'm just reporting an observation.

D) If any stakeholder group or representatives see some effectiveness in the WSIS, the discussions on DNSSEC deployment would fall under the heading "critical Internet resources." I don't see much potential for active discussion on this front, but it's only my opinion.

So, that's it. Anybody has other suggestions for an appropriate forum for DNSSEC deployment at the root *including* US government involvement?

Regards,

- Thierry Moreau


Joe Baptista wrote:


DNSSEC indeed violates the end to end principle. It's simply that simple. And it asks us to put our trust in the root a.k.a. ICANN. I don't think governments world wide are going to put their trust and faith in ICANN. The U.S. Government is the only government that has been bamboozled into adopting DNSSEC into .gov infrastructure.

I wonder how President Obama would feel about handing over the keys to U.S. Government infrastructure to a U.S. contractor. I'd have trouble sleeping at night if that was the case.

I've addressed this at length in my comments to the NTIA.

http://www.ntia.doc.gov/DNS/comments/comment034.pdf

If the U.S. government wants DNSSEC today then it must nationalize the roots. I don't even trust Vixie with the root. I remember when he hijacked the root with Postel. Or as they put it "we were only running an experiment".

In any case the new infrastructure campaign demands U.S. government roots be set up to exclusively serve U.S. network infrastructure.

regards
joe baptista

p.s. If you want to secure the DNS end to end - think DNSCurve - not DNSSEC.

http://dnscurve.org/


On Sat, May 30, 2009 at 7:27 PM, Masataka Ohta <mo...@necom830.hpcl.titech.ac.jp <mailto:mo...@necom830.hpcl.titech.ac.jp>> wrote:

    Francis Dupont wrote:

     > => not only this is very arguable (for instance about the resource
     > exhaustion) but no hop-by-hop/channel security, even something as
     > strong as TSIG, can provide what we need, i.e., end-to-end/object
     > security (*).

    Unless your meaning of end-to-end differs from that of David Clark,
    the following argument of his paper is applicable to DNSSEC.

           http://portal.acm.org/citation.cfm?doid=383034.383037
           Rethinking the design of the Internet:
           The end to end arguments vs. the brave new world

           The certificate is an assertion by that (presumably
           trustworthy) third party that the indicated public key
           actually goes with the particular user.

           These certificates are principal components of essentially
           all public key schemes,

    That is, security of DNSSEC involves third parties and is not end
    to end.

     > PS (*): I use the common meaning of end-to-end, not Masataka
    Ohta's one.

    I'm afraid you don't know who David Clark is and how he is related
    to the end to end argument.

    However, all the people who are qualified to discuss end to end do
    know him and his argument.

                                                           Masataka Ohta

    _______________________________________________
    Ietf mailing list
    Ietf@ietf.org <mailto:Ietf@ietf.org>
    https://www.ietf.org/mailman/listinfo/ietf




--
Joe Baptista

www.publicroot.org <http://www.publicroot.org>
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large.
----------------------------------------------------------------
 Office: +1 (360) 526-6077 (extension 052)
    Fax: +1 (509) 479-0084

Personal: www.joebaptista.wordpress.com <http://www.joebaptista.wordpress.com>



--
Joe Baptista

www.publicroot.org <http://www.publicroot.org>
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large.
----------------------------------------------------------------
 Office: +1 (360) 526-6077 (extension 052)
    Fax: +1 (509) 479-0084

Personal: www.joebaptista.wordpress.com <http://www.joebaptista.wordpress.com>


------------------------------------------------------------------------

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Reply via email to