Re: NTIA request for feedback on DNSSEC deployment at the root zone
Brian E Carpenter wrote: Like it or not, civil servants somewhere in an office called NTIA are faced with the task of deciding about these (boring but required) DNSSEC KSK scenarios. Actually they have another option, which is to leave ICANN alone to take the technical decisions for technical reasons, including getting advice from the IETF if they want. Someone may naively believe the NTIA staff *has the option* to let ICANN alone on DNSSEC deployment decisions. But that's not true, because the US "administration" established, and now abides, by the "US Principles on the Internat's Domain Name and Addressing System." That's reference 19 in the Notice of Inquiry. Any submission *aiming* at changing those principles will be quietly ignored by NTIA, a waste of energy from the part of the submitter, and out of scope. But I see your point if you suggest that technical comments should be accompanied by a disclaimer against any implied admission (acknowledgement) of legitimacy for the US governement to maintain oversight of ICANN and/or IANA. Regards, -- - Thierry Moreau ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: NTIA request for feedback on DNSSEC deployment at the root zone
On 2008-10-10 18:39, Thierry Moreau wrote: > > > Brian E Carpenter wrote, to multiple mailing lists of which > ietf@ietf.org is the only relevant as far as I am individually concerned: > >> On 2008-10-10 03:50, Olaf Kolkman wrote: >> There are links to a number of process flow diagrams that may interest you. >>> >>> For easy accessibility of those links see: >>> http://www.ntia.doc.gov/DNS/DNSSEC.html >> >> >> I don't think we should endorse in any way the implication that >> the NTIA or any other part of the US (or any other) government >> gets to decide about this. So I suggest that any formal reponse >> from the IAB or IESG should be very clear that this is a decision >> for the community to take and implement. >> > > Wow, that's a late wake up call! The legaleese that binds ICANN to the > US government has been around since ICANN inception. Many people objected to it strongly from the start, and said so. This is hardly a new point. > ...It's this very > legaleese that makes the US government the ultimate "permission" gate > needed for DNSSEC root deployment. If ICANN had been set up in another country, as many people proposed at the time, this argument would certainly have failed. > >> That being said, it's obviously a very desirable thing to do, >> and government encouragement seems welcome. I can't comment >> on which of the detailed proposals is technically best. >> > > This inability makes sense to me, because the IETF (if I'm correct, your > contributions are mainly supportive of the IETF-IESG "progress" - i.e. > effectiveness, influence, assertions of legitimacy and > representativeness, and why not, power) didn't challenge the ICANN-US > governemnt-Verising position in DNS operational issues. That's true; the IETF is not in the business of operating the Internet. But that doesn't preclude the IETF, or its participants, having a *technical* opinion about the mechanics of signing the root. My message was asking that we don't endorse the "political" situation while making technical comments. > ...In other words, > the IETF has not been concerned (beyond relatively minor activity in > dnsop wg) with the ICANN mission, which is multi-faceted. See Stephane's response. Also, the IAB has communicated with NTIA on various occasions about ICANN's mission. > > Like it or not, civil servants somewhere in an office called NTIA are > faced with the task of deciding about these (boring but required) DNSSEC > KSK scenarios. Actually they have another option, which is to leave ICANN alone to take the technical decisions for technical reasons, including getting advice from the IETF if they want. Brian ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: NTIA request for feedback on DNSSEC deployment at the root zone
On Thu, 9 Oct 2008 10:03:32 -0400 Tim Polk <[EMAIL PROTECTED]> wrote: > > Folks, > > The National Telecommunications and Information Administration > published a "Notice of Inquiry" entitled > "Enhancing the Security and Stability of the Internet's Domain Name > and Addressing System" in today's > Federal Register: > Note that comments posted to the IETF list aren't seen (at least not officially) by NTIA. Follow the procedure in the Federal Register notice for official comments (and note that they will become part of the public record). --Steve Bellovin, http://www.cs.columbia.edu/~smb ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: NTIA request for feedback on DNSSEC deployment at the root zone
On Fri, Oct 10, 2008 at 12:39:37AM -0500, Thierry Moreau <[EMAIL PROTECTED]> wrote a message of 75 lines which said: > In other words, the IETF has not been concerned (beyond relatively > minor activity in dnsop wg) with the ICANN mission, which is > multi-faceted. Do not forget the IANA activity of protocols registry managementn which certainly is important for the IETF. The IANA does not have only a politician role (delaying TLD requests). ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: NTIA request for feedback on DNSSEC deployment at the root zone
Brian E Carpenter wrote, to multiple mailing lists of which ietf@ietf.org is the only relevant as far as I am individually concerned: On 2008-10-10 03:50, Olaf Kolkman wrote: There are links to a number of process flow diagrams that may interest you. For easy accessibility of those links see: http://www.ntia.doc.gov/DNS/DNSSEC.html I don't think we should endorse in any way the implication that the NTIA or any other part of the US (or any other) government gets to decide about this. So I suggest that any formal reponse from the IAB or IESG should be very clear that this is a decision for the community to take and implement. Wow, that's a late wake up call! The legaleese that binds ICANN to the US government has been around since ICANN inception. It's this very legaleese that makes the US government the ultimate "permission" gate needed for DNSSEC root deployment. That being said, it's obviously a very desirable thing to do, and government encouragement seems welcome. I can't comment on which of the detailed proposals is technically best. This inability makes sense to me, because the IETF (if I'm correct, your contributions are mainly supportive of the IETF-IESG "progress" - i.e. effectiveness, influence, assertions of legitimacy and representativeness, and why not, power) didn't challenge the ICANN-US governemnt-Verising position in DNS operational issues. In other words, the IETF has not been concerned (beyond relatively minor activity in dnsop wg) with the ICANN mission, which is multi-faceted. Like it or not, civil servants somewhere in an office called NTIA are faced with the task of deciding about these (boring but required) DNSSEC KSK scenarios. Indeed, this activity looks like the last "permission" before actual implementation progress towards deployment - hopefully it is. At its face value, the NTIA call for comments plainly delineates the scope of the issues, their relevance, available options, and the like. If you challenge *now* their legitimacy to so fulfill their "historic role", I don't see whoose "progress" it is. I would add, as a careful observer of NTIA involvement in ICANN / Internet governance, that processes followed by civil servants paid by the US federal government seem quite transparent, open, and accountable, thanks to things like 1) every output documents in the public domain, 2) subject to FOIA inquiries (Freedom of Information Act), 3) parliamentary oversight through reports to the "the House" and hearings, 4) the NOI process (Notice of Inquiry) that is being used in the current instance. (Each of these have specific instances where Internet governance aspects were the central subject matter.) In my view, this overall procedural landscape compares fairly well to e.g. the un-timeliness of release of IAB meeting minutes (pun intended to Olaf). Thus, in the above "like it or not," the arrangement is not as distateful as it looks like at first glance. In other tribunes, I may be very critical of what NTIA does or does not. But this is somehow unrelated to the processes that are followed. Regards, -- - Thierry Moreau ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: NTIA request for feedback on DNSSEC deployment at the root zone
On 2008-10-10 03:50, Olaf Kolkman wrote: >> >> There are links to a number of process flow diagrams that may interest >> you. > > For easy accessibility of those links see: > http://www.ntia.doc.gov/DNS/DNSSEC.html I don't think we should endorse in any way the implication that the NTIA or any other part of the US (or any other) government gets to decide about this. So I suggest that any formal reponse from the IAB or IESG should be very clear that this is a decision for the community to take and implement. That being said, it's obviously a very desirable thing to do, and government encouragement seems welcome. I can't comment on which of the detailed proposals is technically best. Brian ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: NTIA request for feedback on DNSSEC deployment at the root zone
Olaf, Thanks! That will make everyone's lives much easier. Tim On Oct 9, 2008, at 10:50 AM, Olaf Kolkman wrote: There are links to a number of process flow diagrams that may interest you. For easy accessibility of those links see: http://www.ntia.doc.gov/DNS/DNSSEC.html --Olaf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: NTIA request for feedback on DNSSEC deployment at the root zone
There are links to a number of process flow diagrams that may interest you. For easy accessibility of those links see: http://www.ntia.doc.gov/DNS/DNSSEC.html --Olaf PGP.sig Description: This is a digitally signed message part ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
NTIA request for feedback on DNSSEC deployment at the root zone
Folks, The National Telecommunications and Information Administration published a "Notice of Inquiry" entitled "Enhancing the Security and Stability of the Internet's Domain Name and Addressing System" in today's Federal Register: SUMMARY: The Department of Commerce (Department) notes the increase in interest among government, technology experts and industry representatives regarding the deployment of Domain Name and Addressing System Security Extensions (DNSSEC) at the root zone level. The Department remains committed to preserving the security and stability of the DNS and is exploring the implementation of DNSSEC in the DNS hierarchy, including at the authoritative root zone level. Accordingly, the Department is issuing this notice to invite comments regarding DNSSEC implementation at the root zone. If you have an opinion on whether DNSSEC should or should not be deployed in the root zone, I urge you to make that position known by submitting comments. Comments are due on November 24, 2008. Contact details are included in the NOI. The "html" version of the NOI is available at http://frwebgate5.access.gpo.gov/cgi-bin/waisgate.cgi? WAISdocID=559077321003+0+0+0&WAISaction=retrieve The PDF version is available at http://frwebgate5.access.gpo.gov/cgi-bin/PDFgate.cgi? WAISdocID=559077321003+0+1+0&WAISaction=retrieve There are links to a number of process flow diagrams that may interest you. (The Federal Register cannot include graphic content.) Note that you will need to tweak the provided links regardless of which version you select; there are formatting and linewrap issues that prevent following the links automatically. Thanks, Tim Polk ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf