[EURO-Discuss] ALAC-WG on DNSSEC

JFC Morfin jefsey at jefsey.com
Sat Aug 30 08:30:32 EDT 2008


Dear Lutz,
There are two different things. ALAC assisting ICANN in the users 
fields, and ALS assisting users in fields where ICANN operates. I am 
certainly willing to help ICANN and IETF as long as this help them to 
help the users better. But I do not forget that my priorities are to 
myself and to my fellow users.

At 22:48 29/08/2008, Lutz Donnerhacke wrote:
>On Fri, Aug 29, 2008 at 07:28:41PM +0200, JFC Morfin wrote:
> > would it not help if we investigated an ALAC-WG on Security as seen
> > from a user point of view (documentation, solutions, open tools) ?
>
>Personally I think it's more work than it's worth. Compiling colletions of
>already known technical things is better maintained by those who are
>directly involved. AtLarge (not only ALAC) has connections to the SSAC which
>should be used for this subject. DNSSEC is currently hyped by the Dan
>Kaminsky show, which was a good and serious hack, but somewhat overpromoted.

This is not exactly how I see it. What I observe is that Dan's show 
helps those who have the agenda to take over the Internet in taking 
over the IANA and centralising security, what could be called the "US 
Industry digital umbrella". This DNSSEC story is, as you say, an 
overpromotion of the centralised root server system. I think (1) the 
root server system is something the cons and pros are to be carefully 
reviewed from a user point of view (cf. ICANN ICP-3 document) and 
that (2) DNSSEC must be studied the same, by users.

IMHO the situation today could eventually badly hurt ICANN (depending 
on what ICANN wants to be). Questions are:
- is the root server system a good system or not from a user perspective.
- is DNSSEC a good solution or not in a root/non root server system 
from a user perspective.
- who should be the concerned operators from a user perspective.
- who is endangering the capacity of these operators to develop, why and how.

>AtLarge can an should contribute to the political and personal implications
>of signing the root. There are several open issues and a lot of FUD to
>clarify.

Yes. But we need to have the @large users to be aware enough of the 
root of the root management situation. This is why they must have a 
full command of the technical, commercial, strategic, societal and 
normative interests involved. This documentation does not exist if I 
am correct?

>The most prominent FUD is that the possession of the root keys
>implies the power to rule the Internet. A large part of "the truth"(tm) is
>that the current operators of the root zone has already that power.

This is no more true, for several reasons. (1) as Vint says "the 
root" is the one with the largest number of users. This makes the 
GSMA (the mobile operator association) to run the real root. (2) I do 
not think that the current root vision will extend to the 
Multilingual Internet, because Vint Cerf as a Chair of the WG-IDNABIS 
acknowledged that their target was not such. (3) for years, following 
ICANN ICP-3 guidance I have verified that what counts is that there 
is no conflict in the "virtual root of the world" (all the active 
TLDs) not the old "intlfile", now the NTIA root file (4) because the 
largest part of the Internet is now using TLDs and topzone name 
servers that are not in the root (China, ISPs, etc.) and if I 
understand you well your 15000 users.

So the real question are : who is really controlling the IANA, who is 
in position to control it in the coming months/years. Is DNSSEC 
something of real interest or not depending the way the users use it? 
What will be its political consequences on the stability and 
interoperability of the Internet. How the semantic addressing and its 
hundred of thousands of top zones will be impacted/impact all this. etc.

IMHO these questions can currently only be understood and addressed 
by Internet lead users focussing on their own long terms interests, 
because they most probably oppose the short term interests of those 
who defactor sponsor the IETF (cf. IAB RFC 3869). Someone competent 
has to look responsibly at the situation. The US position over DNSSEC 
will have the first advantage to teach DNSSEC to civil servants and 
militairies. We need the @large to keep level to understand and 
influence the resulting decisions, USG strategy and responses of the 
US Industry.

In this case, the responsibility of advising ICANN, but also Europe 
and currently the French Governement who is in charge a preparing an 
European proposition 40 days from now, lies with us.

> > other on identification. This could be within ALAC a first test what
> > advocate : a multilingual techniocal user support cooperation?
>
>Supporting technical and operational issues are really hard work.

No one else that ourselves for our own systems will do it. It has to 
be understood if this is too hard work for credibility. What are the 
possible alternatives and the simplifications that Europe is to work on.

>I fear
>that Atlarge organization is not able to offer this in the full broad sense.

Let not confuse ALAC and the ALSes.

>Supporting political and personal issues is a good and valueable target to
>aim to. Compiling multilanguage background, too.

Yes. This is a first step, towards the next one. All this is, due to 
the importance of the Internet in our lifes and economies, is about 
our own survival as nations (look at Estonia, Georgia) with the 
alternative of a US/NATO/Google (?) digital umbrella.

> > At 18:44 29/08/2008, Lutz Donnerhacke wrote:
> > >Of course, that's why I voluteer for a DNSSEC track on the 
> AtLarge summit in
> > >Cairo. Preparing this track requires to collect and write such materials.
> >
> > And possibly test it?
>
>That's part of my proposal. I'd like to see the signed root (of IANA)
>productive on the validating resolvers during the whole sumit and meeting.

Question: what will be the situation of the topzone nameservers which 
are not in the root but which are documented in through the TLD nameservers?

>I run a signed root since more than two years in production environments
>(for ~15000 people) and one of the largest DLVs.

You mean a signed root Down Loadable Version :-)? Where can we get and test it?

>  It's technically and
>operationally possible. AtLarge can show, that ICANN is able to handle the
>political issues (at least for the Cairo meeting) too.

I am sure ALAC can handle it.
ICANN if I am correct has announced its intent to do it two years ago 
in its strategic plan and has not moved upon it. My concern is that 
the first thing the USG people will do will be to sign the root they 
will use. They do not need ICANN for that. Then what shall Europe and China do?

---

Additional remarks on the @large, ALAC + Europe + users aspects :

1) on the Unbound mailing list:  (the DNS software by NLnet Labs, 
sponsored by Nominet and Verisign) :  "the U.S. has been dragging its 
feet, but will now encourage itself and others to get on board. This 
is a great opportunity for DNSSEC-by-design Unbound, which appears to 
both work well as a DNSSEC resolver AND is leading the pack with 
important new security features (e.g. scrubbers), that both 
enterprise and users are beginning to value". IMHO this is something 
we need to evaluate, confirm, document in layman words, etc. in the 
best interest of the European publics and entreprises.

2) I went on the http://DNSSEC.org to see if there is something user 
oriented. I tried to the "How-to". The first sentence is "This part 
deals with securing data in zone les. We describe how to generate and 
manage keys, how to set up a recursive name server to validate signed 
zone data and how to sign and serve zones." Hardly something people 
can understand the meaning at first glance.

3) from your knowledge of the DNSSEC, what is the current pertinence 
of RFC 3833? Would it be interesting to update it and present it in a 
more readable/practical way to users ?




More information about the EURO-Discuss mailing list