[EURO-Discuss] ALAC-WG on DNSSEC
JFC Morfin
jefsey at jefsey.com
Sat Aug 30 08:30:32 EDT 2008
Dear Lutz,
There are two different things. ALAC assisting ICANN in the users
fields, and ALS assisting users in fields where ICANN operates. I am
certainly willing to help ICANN and IETF as long as this help them to
help the users better. But I do not forget that my priorities are to
myself and to my fellow users.
At 22:48 29/08/2008, Lutz Donnerhacke wrote:
>On Fri, Aug 29, 2008 at 07:28:41PM +0200, JFC Morfin wrote:
> > would it not help if we investigated an ALAC-WG on Security as seen
> > from a user point of view (documentation, solutions, open tools) ?
>
>Personally I think it's more work than it's worth. Compiling colletions of
>already known technical things is better maintained by those who are
>directly involved. AtLarge (not only ALAC) has connections to the SSAC which
>should be used for this subject. DNSSEC is currently hyped by the Dan
>Kaminsky show, which was a good and serious hack, but somewhat overpromoted.
This is not exactly how I see it. What I observe is that Dan's show
helps those who have the agenda to take over the Internet in taking
over the IANA and centralising security, what could be called the "US
Industry digital umbrella". This DNSSEC story is, as you say, an
overpromotion of the centralised root server system. I think (1) the
root server system is something the cons and pros are to be carefully
reviewed from a user point of view (cf. ICANN ICP-3 document) and
that (2) DNSSEC must be studied the same, by users.
IMHO the situation today could eventually badly hurt ICANN (depending
on what ICANN wants to be). Questions are:
- is the root server system a good system or not from a user perspective.
- is DNSSEC a good solution or not in a root/non root server system
from a user perspective.
- who should be the concerned operators from a user perspective.
- who is endangering the capacity of these operators to develop, why and how.
>AtLarge can an should contribute to the political and personal implications
>of signing the root. There are several open issues and a lot of FUD to
>clarify.
Yes. But we need to have the @large users to be aware enough of the
root of the root management situation. This is why they must have a
full command of the technical, commercial, strategic, societal and
normative interests involved. This documentation does not exist if I
am correct?
>The most prominent FUD is that the possession of the root keys
>implies the power to rule the Internet. A large part of "the truth"(tm) is
>that the current operators of the root zone has already that power.
This is no more true, for several reasons. (1) as Vint says "the
root" is the one with the largest number of users. This makes the
GSMA (the mobile operator association) to run the real root. (2) I do
not think that the current root vision will extend to the
Multilingual Internet, because Vint Cerf as a Chair of the WG-IDNABIS
acknowledged that their target was not such. (3) for years, following
ICANN ICP-3 guidance I have verified that what counts is that there
is no conflict in the "virtual root of the world" (all the active
TLDs) not the old "intlfile", now the NTIA root file (4) because the
largest part of the Internet is now using TLDs and topzone name
servers that are not in the root (China, ISPs, etc.) and if I
understand you well your 15000 users.
So the real question are : who is really controlling the IANA, who is
in position to control it in the coming months/years. Is DNSSEC
something of real interest or not depending the way the users use it?
What will be its political consequences on the stability and
interoperability of the Internet. How the semantic addressing and its
hundred of thousands of top zones will be impacted/impact all this. etc.
IMHO these questions can currently only be understood and addressed
by Internet lead users focussing on their own long terms interests,
because they most probably oppose the short term interests of those
who defactor sponsor the IETF (cf. IAB RFC 3869). Someone competent
has to look responsibly at the situation. The US position over DNSSEC
will have the first advantage to teach DNSSEC to civil servants and
militairies. We need the @large to keep level to understand and
influence the resulting decisions, USG strategy and responses of the
US Industry.
In this case, the responsibility of advising ICANN, but also Europe
and currently the French Governement who is in charge a preparing an
European proposition 40 days from now, lies with us.
> > other on identification. This could be within ALAC a first test what
> > advocate : a multilingual techniocal user support cooperation?
>
>Supporting technical and operational issues are really hard work.
No one else that ourselves for our own systems will do it. It has to
be understood if this is too hard work for credibility. What are the
possible alternatives and the simplifications that Europe is to work on.
>I fear
>that Atlarge organization is not able to offer this in the full broad sense.
Let not confuse ALAC and the ALSes.
>Supporting political and personal issues is a good and valueable target to
>aim to. Compiling multilanguage background, too.
Yes. This is a first step, towards the next one. All this is, due to
the importance of the Internet in our lifes and economies, is about
our own survival as nations (look at Estonia, Georgia) with the
alternative of a US/NATO/Google (?) digital umbrella.
> > At 18:44 29/08/2008, Lutz Donnerhacke wrote:
> > >Of course, that's why I voluteer for a DNSSEC track on the
> AtLarge summit in
> > >Cairo. Preparing this track requires to collect and write such materials.
> >
> > And possibly test it?
>
>That's part of my proposal. I'd like to see the signed root (of IANA)
>productive on the validating resolvers during the whole sumit and meeting.
Question: what will be the situation of the topzone nameservers which
are not in the root but which are documented in through the TLD nameservers?
>I run a signed root since more than two years in production environments
>(for ~15000 people) and one of the largest DLVs.
You mean a signed root Down Loadable Version :-)? Where can we get and test it?
> It's technically and
>operationally possible. AtLarge can show, that ICANN is able to handle the
>political issues (at least for the Cairo meeting) too.
I am sure ALAC can handle it.
ICANN if I am correct has announced its intent to do it two years ago
in its strategic plan and has not moved upon it. My concern is that
the first thing the USG people will do will be to sign the root they
will use. They do not need ICANN for that. Then what shall Europe and China do?
---
Additional remarks on the @large, ALAC + Europe + users aspects :
1) on the Unbound mailing list: (the DNS software by NLnet Labs,
sponsored by Nominet and Verisign) : "the U.S. has been dragging its
feet, but will now encourage itself and others to get on board. This
is a great opportunity for DNSSEC-by-design Unbound, which appears to
both work well as a DNSSEC resolver AND is leading the pack with
important new security features (e.g. scrubbers), that both
enterprise and users are beginning to value". IMHO this is something
we need to evaluate, confirm, document in layman words, etc. in the
best interest of the European publics and entreprises.
2) I went on the http://DNSSEC.org to see if there is something user
oriented. I tried to the "How-to". The first sentence is "This part
deals with securing data in zone les. We describe how to generate and
manage keys, how to set up a recursive name server to validate signed
zone data and how to sign and serve zones." Hardly something people
can understand the meaning at first glance.
3) from your knowledge of the DNSSEC, what is the current pertinence
of RFC 3833? Would it be interesting to update it and present it in a
more readable/practical way to users ?
More information about the EURO-Discuss
mailing list