Re: NTIA request for feedback on DNSSEC deployment at the root zone

2008-10-13 Thread Thierry Moreau



Brian E Carpenter wrote:




Like it or not, civil servants somewhere in an office called NTIA are
faced with the task of deciding about these (boring but required) DNSSEC
KSK scenarios. 



Actually they have another option, which is to leave ICANN alone
to take the technical decisions for technical reasons, including
getting advice from the IETF if they want.



Someone may naively believe the NTIA staff *has the option* to let ICANN 
alone on DNSSEC deployment decisions. But that's not true, because the 
US "administration" established, and now abides, by the "US Principles 
on the Internat's Domain Name and Addressing System." That's reference 
19 in the Notice of Inquiry. Any submission *aiming* at changing those 
principles will be quietly ignored by NTIA, a waste of energy from the 
part of the submitter, and out of scope.


But I see your point if you suggest that technical comments should be 
accompanied by a disclaimer against any implied admission 
(acknowledgement) of legitimacy for the US governement to maintain 
oversight of ICANN and/or IANA.


Regards,

--

- Thierry Moreau

___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf


Re: NTIA request for feedback on DNSSEC deployment at the root zone

2008-10-13 Thread Brian E Carpenter
On 2008-10-10 18:39, Thierry Moreau wrote:
> 
> 
> Brian E Carpenter wrote, to multiple mailing lists of which
> ietf@ietf.org is the only relevant as far as I am individually concerned:
> 
>> On 2008-10-10 03:50, Olaf Kolkman wrote:
>>
 There are links to a number of process flow diagrams that may interest
 you.
>>>
>>> For easy accessibility of those links see:
>>> http://www.ntia.doc.gov/DNS/DNSSEC.html
>>
>>
>> I don't think we should endorse in any way the implication that
>> the NTIA or any other part of the US (or any other) government
>> gets to decide about this. So I suggest that any formal reponse
>> from the IAB or IESG should be very clear that this is a decision
>> for the community to take and implement.
>>
> 
> Wow, that's a late wake up call! The legaleese that binds ICANN to the
> US government has been around since ICANN inception. 

Many people objected to it strongly from the start, and said so. This
is hardly a new point.

> ...It's this very
> legaleese that makes the US government the ultimate "permission" gate
> needed for DNSSEC root deployment.

If ICANN had been set up in another country, as many people proposed
at the time, this argument would certainly have failed.

> 
>> That being said, it's obviously a very desirable thing to do,
>> and government encouragement seems welcome. I can't comment
>> on which of the detailed proposals is technically best.
>>
> 
> This inability makes sense to me, because the IETF (if I'm correct, your
> contributions are mainly supportive of the IETF-IESG "progress" - i.e.
> effectiveness, influence, assertions of legitimacy and
> representativeness, and why not, power) didn't challenge the ICANN-US
> governemnt-Verising position in DNS operational issues.

That's true; the IETF is not in the business of operating the Internet.
But that doesn't preclude the IETF, or its participants, having
a *technical* opinion about the mechanics of signing the root. My
message was asking that we don't endorse the "political" situation
while making technical comments.

> ...In other words,
> the IETF has not been concerned (beyond relatively minor activity in
> dnsop wg) with the ICANN mission, which is multi-faceted.

See Stephane's response. Also, the IAB has communicated with NTIA
on various occasions about ICANN's mission.

> 
> Like it or not, civil servants somewhere in an office called NTIA are
> faced with the task of deciding about these (boring but required) DNSSEC
> KSK scenarios. 

Actually they have another option, which is to leave ICANN alone
to take the technical decisions for technical reasons, including
getting advice from the IETF if they want.

   Brian

___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf


Re: NTIA request for feedback on DNSSEC deployment at the root zone

2008-10-10 Thread Steven M. Bellovin
On Thu, 9 Oct 2008 10:03:32 -0400
Tim Polk <[EMAIL PROTECTED]> wrote:

> 
> Folks,
> 
> The National Telecommunications and Information Administration  
> published a "Notice of Inquiry" entitled
> "Enhancing the Security and Stability of the Internet's Domain  Name  
> and Addressing System" in today's
> Federal Register:
> 
Note that comments posted to the IETF list aren't seen (at least not
officially) by NTIA.  Follow the procedure in the Federal Register
notice for official comments (and note that they will become part of
the public record).


--Steve Bellovin, http://www.cs.columbia.edu/~smb
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf


Re: NTIA request for feedback on DNSSEC deployment at the root zone

2008-10-10 Thread Stephane Bortzmeyer
On Fri, Oct 10, 2008 at 12:39:37AM -0500,
 Thierry Moreau <[EMAIL PROTECTED]> wrote 
 a message of 75 lines which said:

> In other words, the IETF has not been concerned (beyond relatively
> minor activity in dnsop wg) with the ICANN mission, which is
> multi-faceted.

Do not forget the IANA activity of protocols registry managementn
which certainly is important for the IETF. The IANA does not have only
a politician role (delaying TLD requests).
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf


Re: NTIA request for feedback on DNSSEC deployment at the root zone

2008-10-09 Thread Thierry Moreau



Brian E Carpenter wrote, to multiple mailing lists of which 
ietf@ietf.org is the only relevant as far as I am individually concerned:



On 2008-10-10 03:50, Olaf Kolkman wrote:


There are links to a number of process flow diagrams that may interest
you.


For easy accessibility of those links see:
http://www.ntia.doc.gov/DNS/DNSSEC.html



I don't think we should endorse in any way the implication that
the NTIA or any other part of the US (or any other) government
gets to decide about this. So I suggest that any formal reponse
from the IAB or IESG should be very clear that this is a decision
for the community to take and implement.



Wow, that's a late wake up call! The legaleese that binds ICANN to the 
US government has been around since ICANN inception. It's this very 
legaleese that makes the US government the ultimate "permission" gate 
needed for DNSSEC root deployment.



That being said, it's obviously a very desirable thing to do,
and government encouragement seems welcome. I can't comment
on which of the detailed proposals is technically best.



This inability makes sense to me, because the IETF (if I'm correct, your 
contributions are mainly supportive of the IETF-IESG "progress" - i.e. 
effectiveness, influence, assertions of legitimacy and 
representativeness, and why not, power) didn't challenge the ICANN-US 
governemnt-Verising position in DNS operational issues. In other words, 
the IETF has not been concerned (beyond relatively minor activity in 
dnsop wg) with the ICANN mission, which is multi-faceted.


Like it or not, civil servants somewhere in an office called NTIA are 
faced with the task of deciding about these (boring but required) DNSSEC 
KSK scenarios. Indeed, this activity looks like the last "permission" 
before actual implementation progress towards deployment - hopefully it 
is. At its face value, the NTIA call for comments plainly delineates the 
scope of the issues, their relevance, available options, and the like. 
If you challenge *now* their legitimacy to so fulfill their "historic 
role", I don't see whoose  "progress" it is.


I would add, as a careful observer of NTIA involvement in ICANN / 
Internet governance, that processes followed by civil servants paid by 
the US federal government seem quite transparent, open, and accountable, 
thanks to things like 1) every output documents in the public domain, 2) 
subject to FOIA inquiries (Freedom of Information Act), 3) parliamentary 
oversight through reports to the "the House" and hearings, 4) the NOI 
process (Notice of Inquiry) that is being used in the current instance. 
(Each of these have specific instances where Internet governance aspects 
were the central subject matter.) In my view, this overall procedural 
landscape compares fairly well to e.g. the un-timeliness of release of 
IAB meeting minutes (pun intended to Olaf). Thus, in the above "like it 
or not," the arrangement is not as distateful as it looks like at first 
glance.


In other tribunes, I may be very critical of what NTIA does or does not. 
But this is somehow unrelated to the processes that are followed.


Regards,

--

- Thierry Moreau

___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf


Re: NTIA request for feedback on DNSSEC deployment at the root zone

2008-10-09 Thread Brian E Carpenter
On 2008-10-10 03:50, Olaf Kolkman wrote:
>>
>> There are links to a number of process flow diagrams that may interest
>> you.
> 
> For easy accessibility of those links see:
> http://www.ntia.doc.gov/DNS/DNSSEC.html

I don't think we should endorse in any way the implication that
the NTIA or any other part of the US (or any other) government
gets to decide about this. So I suggest that any formal reponse
from the IAB or IESG should be very clear that this is a decision
for the community to take and implement.

That being said, it's obviously a very desirable thing to do,
and government encouragement seems welcome. I can't comment
on which of the detailed proposals is technically best.

   Brian
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf


Re: NTIA request for feedback on DNSSEC deployment at the root zone

2008-10-09 Thread Tim Polk

Olaf,

Thanks!  That will make everyone's lives much easier.

Tim

On Oct 9, 2008, at 10:50 AM, Olaf Kolkman wrote:



There are links to a number of process flow diagrams that may  
interest you.


For easy accessibility of those links see:
http://www.ntia.doc.gov/DNS/DNSSEC.html


--Olaf


___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf


Re: NTIA request for feedback on DNSSEC deployment at the root zone

2008-10-09 Thread Olaf Kolkman


There are links to a number of process flow diagrams that may  
interest you.


For easy accessibility of those links see:
http://www.ntia.doc.gov/DNS/DNSSEC.html


--Olaf


PGP.sig
Description: This is a digitally signed message part
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf


NTIA request for feedback on DNSSEC deployment at the root zone

2008-10-09 Thread Tim Polk


Folks,

The National Telecommunications and Information Administration  
published a "Notice of Inquiry" entitled
"Enhancing the Security and Stability of the Internet's Domain  Name  
and Addressing System" in today's

Federal Register:


SUMMARY: The Department of Commerce (Department) notes the increase in
interest among government, technology experts and industry
representatives regarding the deployment of Domain Name and Addressing
System Security Extensions (DNSSEC) at the root zone level. The
Department remains committed to preserving the security and stability
of the DNS and is exploring the implementation of DNSSEC in the DNS
hierarchy, including at the authoritative root zone level.  
Accordingly,

the Department is issuing this notice to invite comments regarding
DNSSEC implementation at the root zone.



If you have an opinion on whether DNSSEC should or should not be  
deployed in the root zone, I urge you to make
that position known by submitting comments.   Comments are due on  
November 24, 2008.   Contact details are

included in the NOI.

The "html" version of the NOI is available at
 http://frwebgate5.access.gpo.gov/cgi-bin/waisgate.cgi? 
WAISdocID=559077321003+0+0+0&WAISaction=retrieve


The PDF version is available at
 http://frwebgate5.access.gpo.gov/cgi-bin/PDFgate.cgi? 
WAISdocID=559077321003+0+1+0&WAISaction=retrieve


There are links to a number of process flow diagrams that may  
interest you.  (The Federal Register cannot include graphic
content.) Note that you will need to tweak the provided links  
regardless of which version you select; there are formatting

and linewrap issues that prevent following the links automatically.

Thanks,

Tim Polk
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf