Government Begins Securing Root Zone File

Death Metal notes a Wired piece on the US government beginning the process of securing the root zone file. This is in service of implementing DNSSEC, without which the DNS security hole found by Dan Kaminsky can't be definitively closed. On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root — ICANN, Verisign, or the US government's NTIA.

That's going to be interesting.

[assantisz]

I have my popcorn ready for the show.

Re:That's going to be interesting.

[morcego]

Here is another suggestion: IEEE

Re:That's going to be interesting.

Don't panic.

Re:That's going to be interesting.

[thoughtlover]

How about the EFF?

Those who do not understand DNS

[Gothmolly]

Are doomed to reimplement it, poorly. Does anyone have any confidence that the US Government WONT mess this up completely? Give the key to Google or AOL or IBM or something.

Re:Those who do not understand DNS

[alexborges]

I know i know, lets give it to some wallstreet bankers!

Re:Those who do not understand DNS

[rs79]

"Are doomed to reimplement it, poorly. Does anyone have any confidence that the US Government WONT mess this up completely? Give the key to Google or AOL or IBM or something. "

Those who don't understand DNS would recommend giving it to IBM.

Hi. I run the root server that was the first runner up in the contest to administer it, ahead of two other groups. We were actually asked by the gov to advise icann which we did until we realized all they were doing is using us to get away with what they wanted to do, instead of listening to advice on horrific problems. Hint: the mandate specifies icann is a membership organization and 10 years later you still can join and have a vote. Ahem.

During this time and for 5 years before that I run the a root to one of the alternative root zones.

If you think dnssec will fix the problem or that it's the right answer or that it will actually secure it then you and Dan Kaminsky haven't thought about it enough.

But if you wanna go ahead with the broken dnssec model the keys should be held by Paul Vixie. This is all his mess anyway and he already holds the keys to usenet.

Re:Those who do not understand DNS

[PinkyDead]

One key for Google flying oh so high,
One for Apple for without it fans would moan,
One for IBM what are based in Armonk, NY,
One for the Dark Lord on his dark throne
In the Land of Redmond where the Shadows lie.
One Key to rule them all, One Key to find them,
One Key to bring them all and in the darkness bind them
In the Land of Redmond where the Shadows lie.

Re:Those who do not understand DNS

[alexborges]

Can I be the president of your fan club?

Re:Those who do not understand DNS

[alexborges]

Boy this is getting old. ....

Its cool though.

Re:Those who do not understand DNS

[Dani+Filth]

Now that's a funny sig.

Re:Those who do not understand DNS

[hesaigo999ca]

IBM was only one of his choices, although a poor one, I would opt for google, seeing as they already own the internet per say...they are trying to cache the whole thing on their backend....imagine that....why not allow them also to geometrically setup a cache of dns servers rolling out lookups...they would be able to do it...and have the room for all the bacxkups too!

Re:Those who do not understand DNS

[Zarf_is_with_you]

Maybe Hellboy should hold the key...... ;)

Re:Those who do not understand DNS

One key for Google flying oh so high,
One for Apple for without it fans would moan,
One for IBM what are based in Armonk, NY,
One for the Dark Lord on his dark throne
In the Land of Redmond where the Shadows lie.
One Key to rule them all, One Key to find them,
One Key to bring them all and in the darkness bind them
In the Land of Redmond where the Shadows lie.

freakin beautiful

*wipes tear from eye*

bravo

Re:Those who do not understand DNS

[Random+BedHead+Ed]

"I will take the key to Redmond ... but I do not know the way."

Re:Those who do not understand DNS

[OeLeWaPpErKe]

Or to ACORN.

Re:Those who do not understand DNS

[alexborges]

Ive got to say this:

YES, it would actually be better held in the hands of a normal citizen than in the hands of people that can only think of their next very personal 100 million of wrongfully earned dollars.

Re:Those who do not understand DNS

[IorDMUX]

*applause* Perhaps(?): "One key to certify, and in the darkness, bind them."

Re:Those who do not understand DNS

[Wowlapalooza]

"Alternative root zones"? ROFL. That ship has already launched and sank miserably. A unitary root zone is the only practical model.

As for DNSSEC, again, it may not be perfect, but it's the most thoroughly defined, mature solution we have for the DNS data integrity problem. DNSCurve, like most of DJB's creations, is a clever little academic exercise, but nowhere near as close to implementation as DNSSEC.

Mommy, what's Usenet?

Re:Those who do not understand DNS

[crotherm]

I know this is a few days old, (I work thus I am always behind in /.) but your concerns intrigue me. What are your recommendations?

None of the above

[jeffasselin]

Anyone really thinks any of those organizations should be trusted with this? How about some UN organization instead?

Re:None of the above

Because the UN sucks too? It isn't a symptom of who belongs to the organization, but the very fact that it is a large organization.

Re:None of the above

Wow. Sometimes the void is so large, there is just no reasonable way to respond.

Re:None of the above

[MightyYar]

The same UN that is comprised of countries that support censorship of political speech? No, thanks. Either give it to an organization of free democracies or hold onto it until such an organization exists.

I'm not flaming, but seriously - look at the UN's track record where they do things like elect Libya to head the Commission on Human Rights. I can already see China chairing the internet commission.

Re:None of the above

[Kamokazi]

Hell, I'd trust the greedy bastards at Verisign way before the UN.

But yeah, all those options kinda suck. ICANN is the lesser of the evils tough by a wide margin.

Re:None of the above

[FireStormZ]

And why should the UN be trusted with this? As another poster pointed out they are comprised of many nations that censor speech, expression, assembly and thought. On top of that they have been shown to be as (if not more) corrupt (Oil for Food in Iraq), Inept (Sierra Leone), and Impotent (Rwanda)...

Re:None of the above

[ThatFunkyMunki]

You have no recourse but to look into it until it looks back at you...

Re:None of the above

[alexborges]

"If patriotism is racist, is racism patriotic?"

No.

And green is not lemon. And the orange color does not smell.

He-Lo?

Re:None of the above

YHBT, HAND.

Re:None of the above

How about some UN organization instead?

You must be joking.

Re:None of the above

[Jesus_666]

The question is who to give it to. The United States are just as ineligible, seeing as they don't care about separating government and big business or keeping the government's powers in check. And I'm not in favor of giving a nation control over an international resource simply because it was deployed there first. That'd be like ultimately deferring to France in all aviation matters because of the Montgolfier brothers.

Really, who should get the root zone file? Nobody is eligible so we either give it to nobody or adjust our standards so someine is. The question is, do we accept a multinational body where any attempt at tampering might get vetoed by other members or do we accept a single nation where that isn't the case?

The UN seem like the safer choice because of more oversight. (Also, let's not forget that any bloc that feels left out can simply start their own root server network or switch over to one already running, thus it's not a wise idea to bind the one most of us currently use too much to a single nation.)

Re:None of the above

[foobsr]

organization of free democracies

Leading surveillance societies in the EU and the World 2007

Clearly in the lead: China, Russia, US ...

CC.

Re:None of the above

[operagost]

Maybe you shouldn't betray your political leanings by singling out the RNC. There are "free speech zones" at the DNC too. It seems to be more dependent on the attitude of the hosting city. At least we don't imprison grandmothers and sentence them to hard labor just for asking to protest.

Re:None of the above

[MightyYar]

While I agree that the government (mostly local governments) overreacted to the antics of some douchebags, the fact remains that the US is one of the most liberal - if not the most liberal - nations on the planet when it comes to freedom of speech. Restrictions on speech correlate very well with authoritarian rule.

Re:None of the above

[MightyYar]

The United States are just as ineligible, seeing as they don't care about separating government and big business or keeping the government's powers in check.

I'm still going to rank political speech higher than commercial speech... that's where people really get oppressed. I agree that copyright is a form of censorship, and I would like to see it reformed drastically - but it's not the same as throwing people in jail because they are critical of the people in power.

The UN seem like the safer choice because of more oversight.

Two problems. One, the UN would only be effective if the number of countries opposing censorship was larger than the number that rather like it... unfortunately I think that the censors are in the majority. Second, the UN has no actual power to do anything outside of the security council. These committees and such all simply advise the security counsel. If someone were to get out of line, you'd need the security council to actually take action. With Russia and China as veto-wielding members, no action would ever come on issues of free speech.

But mostly, you are dead-on about it not being all that critical. DNS is mirrored all over the place, and if the US ever went bat-shit nuts the rest of the world could just run their own mirrors.

Re:None of the above

The impotency of UN (as you call it) in Rwanda was mainly due to inaction from western powers.

Lt.-Gen. Dallaire, Canadian general and head of the mission in Rwanda, kept and kept begging the western powers for -any- kind of support. He predicted the genocide months before it even happenned but the countries on the security council kept refusing any change in the mandate of the mission. France did a couple of photo-ops, helped the Hutus in secret and during this time, the US sent a couple of not-working armored vehicles and the Belgians ran away when the water started to boil.

The shame should be on all western powers who refused to even consider increasing the capacities of the UN contingent before and during the genocide.

Re:None of the above

[MightyYar]

So if you aren't private you aren't free?

Re:None of the above

[Sancho]

Yeah, in the US, you can pretty much say what you want, as long as you do it in a place where no one can hear you.

The reason that restrictions on speech correlate very well with authoritarian rule is because authoritarians don't want dissenters to be heard. It weakens their rule over the people, and threatens their power.

Free Speech Zones are public places where people are allowed to exercise their first amendment rights[1]--that is, the right to free speech. These zones tend to be away from the attendees, speakers, and mass media covering the event to be protested. This means that the protest is effectively pointless. Maybe you get a feeling that you're doing something by protesting, but by forcing you to protest where no one can see you, you're certainly not getting your message across.

So it's great and all that I can say pretty much whatever I want in the US. Seriously. I think it's awesome. But what I don't think is awesome is that political speech is effectively censored--that's the kind of speech which is linked to dissent, and which authoritarians want to quash.

[1] The government "allowing" you to exercise your rights should be a giant-old red flag.

Re:None of the above

[MightyYar]

Protests are only one form of free speech, and it happens that they involve major disruption. It's like a parade or a festival... even when everyone is very peaceful, you have requirements for food, water, and human waste. Frankly, it's not particularly fair to crash someone else's parade after they've paid for everything and then complain about your rights being squashed. You want to have a parade? Go for it - but pay for all the mess you'll make.

And you know what? These WTO/RNC/etc protests are NOT non-violent, they are NOT low-impact, and they cause a major disruption - by DESIGN. You have a right to free speech. Have a parade, publish a newspaper, etc. You do NOT have a right to be a douche.

It tells me that your message isn't worth hearing, because you have resorted to abandoning any sort of civilized debate and just crying like a 2-year-old.

(Note I don't mean you in particular, just the style of writing that I used.)

Re:None of the above

the whole lot of you are offtopic

Re:None of the above

"The impotency of UN (as you call it) in Rwanda was mainly due to inaction from western powers."

Im not a big fan of the 'west guilt' thing especially when you leave out some big facts

Others who did nothing in the UN (China and Russia), also Kofi Annan was the head of UN Peacekeeping operations when the commander of UN forces in Rwanda warned that the Kigali government was planning to slaughter Tutsis. Annan's office ordered Gen'l. Romeo Dallaire of Canada not to protect the informant or to confiscate arms stockpiles. Annan later claimed that he lacked the military might and political backing to stop the slaughter of more than 500,000 people.

Annan let it snowball! And the main guilt and shame shoud lie with those who hacked to death a half million people...

Re:None of the above

I'd have to say yes. This is the principle behind secret voting, for example - if everyone's choice of vote were made public, people might be coerced (by the government, a private entity, criminals, etc) to make a choice other than the one they truly want.

Re:None of the above

[shentino]

Excuse me, but the reason that most people resort to such intrusive methods is that the government neuters their otherwise peaceful message by plugging their ears through free-speech zones.

The tree that falls down with nobody to hear it may as well not make a thud.

Remove all violent protests, and soon the peaceful ones will be dead, in jail, or brainwashed.

Re:None of the above

[MightyYar]

I won't argue that the secret ballot is necessary - but that doesn't mean that EVERYTHING else need to be secret as well... that's one extenuating circumstance.

Re:None of the above

[k1e0x]

The UN? Are you out of your mind? That is the most corrupt incompetent bunch of unelected bureaucrats that have ever existed.

What you want to do.. is you want to make sure the person who holds the key, does not have the power of force behind them.. that means you have to keep it out of the hands of government. ICANN is probably the best choice..

Re:None of the above

[Xest]

You do realise the only 2 countries not in the UN are Vatican City and Taiwan?

Are you suggesting that every other country in the world supports censorship of political speech?

Wouldn't it be a better idea to actually get a clue about an organisation for slagging it off? The UN has wide and varied roles, some it's great at, others not so. How can you be so sure the internet would be in the not so category?

Re:None of the above

[MightyYar]

Excuse me, but the reason that most people resort to such intrusive methods is that the government neuters their otherwise peaceful message by plugging their ears through free-speech zones.

No, it isn't. Their message is fringe and not even close to being popular. They are ignored, and so make noise. The wide use of "free speech zones" came after the douchbaggery, not before - though I happen to agree that they are overkill. Just make the protesters file for a permit, pay for the extra police, get sufficient porta-potties installed, etc... no need for specific zones.

Remove all violent protests, and soon the peaceful ones will be dead, in jail, or brainwashed.

That's just absurd. Violent protests have no place in a civil society. That is the whole point of free speech and the justice system. You can say anything you want without tearing shit up.

Do you really think "the right to free speech" should include location? Like, in the middle of a highway? Fuck everyone - just shut down afternoon traffic because you have something to say?

Re:None of the above

[Narcocide]

Pick me! Pick me! :)

Re:None of the above

[MightyYar]

Even the worst member countries have a hard time being "for hunger" or "for disease", so the UN does a really good job helping hungry and diseased people. They suck at enforcing human rights and things like that, where the member countries don't want to get acted against themselves.

Censorship, well, most of the UN members have more restrictions on freedom of speech than the US does. Why in the world would I, as a US citizen, entrust that organization to regulate the internet? I might entrust countries from Western Europe (though we'd have to make sure that hate speech is protected somehow)... maybe Japan and Australia. I sure as hell don't trust China, Russia, most of the Middle East, or most of Africa. South America has several countries that continue to curtail free speech.

Re:None of the above

And which of the suggested organisations given do that? And who should be holding on to it in the meantime? This key doesn't currently exist, so you can't say that whoever's currently got it should keep it.

Frankly, the only people I'd trust are the IETF. It's a pity that ICANN isn't really trustworthy. Unfortunately, given it's ICANN that can create new root domains, they're the ones that will probably end up having the key. (Despite the obivous money-grabbing attempts - look at that whole '.biz' domain nonsense.)

http://en.wikipedia.org/wiki/ICANN#Alternatives

Besides, remember that the USA can veto any of the U.N security council's decisions (as can France, Russia, China and the UK).

Re:None of the above

[Jesus_666]

I'm still going to rank political speech higher than commercial speech... that's where people really get oppressed. I agree that copyright is a form of censorship, and I would like to see it reformed drastically - but it's not the same as throwing people in jail because they are critical of the people in power.

Yes, some of the UN member states are't too keen on free speech, but then again the United States government isn't, either. Granted, you're not quite on the same level as the worst ones but things like the DHS, Gitmo, unwarranted searches, free speech zones etc. aren't exactly painting the USA as the paragon of freedom of expression -- or even freedom at all. I get to choose between a committe of nations, some of which don't value human rights as highly as they should, or a single nation that doesn't value human rights as highly as it should.

If the USA want to be able to claim moral high ground on human rights issues again they're going to have to behave extremely well for at least a decade. Currently their credibility is severely damaged.


By the way, with "they don't care about separating government and big business" I didn't mean that the government imposes on business but the other way around. I meant plain old corruption (or extortion in some cases). The increasing eccentricity of American tech and IP laws really makes it look like you guys have the best politicians money can buy.

I dont hate the USA or anything (was there twice; nice people, quaint architecture), but currently they're like a drunk guy with a broken bottle you encounter while bar-hopping: Much better armed than you are, mostly unpredictable and unlikely to be nice. In short, they're scary.

Second, the UN has no actual power to do anything outside of the security council. These committees and such all simply advise the security counsel. If someone were to get out of line, you'd need the security council to actually take action. With Russia and China as veto-wielding members, no action would ever come on issues of free speech.

Do you really think the US government gives a shit about free speech elsewhere? Assume they're at pseudo-war* with another country. A logical thing to do would be to shut off that country's ccTLD, causing economical damage and hindering civilian information flow. What happens if someone complains? Will the US say "Oh sorry, we didn't think France would get angry!" or would they say "Our root zone, our rules."?

But mostly, you are dead-on about it not being all that critical. DNS is mirrored all over the place, and if the US ever went bat-shit nuts the rest of the world could just run their own mirrors.

Actually, a fragmented root would have the potential to cause some havoc. If Europe gets pissed off at the States enough to switch over to independent-mode ORSN wholesale people will have to make sure their stuff is in two DNS networks instead of just one. Asia might follow suit and suddenly we have three. If those roots diverge we end up with a mess of colliding or incompatible TLDs or even identical domains that resolve differently based on region.

It's not OMG! The End Of The Internet!, but we should avoid it nonetheless.


* The weird kind of war-without-a-declaration-only-it-isn't-really-war we saw in the last couple years.

Re:None of the above

[Xest]

You're still missing the point.

The UN is an entity that consists of just about every single country in the world. Of course that means what your perceive as bad countries are going to be involved but you do realise that they have an equal right to see the US as a bad country?

By having every single country have a say you end up with a view that is balanced upon world opinion, not just US opinion as it is now. US opinion most certainly does not represent the rest of the world and as such cannot be used as the single decision maker for international systems, be they technological, political or even financial. Even most of Europe, the US' closest allies disagree with the US on so very many things.

The US is no longer seen internationally as a country whose ways should be followed and who should be entrusted with important tasks and be allowed to make important decisions alone. For some American citizens to believe that this is the case and that the US should have the right to control such important systems as the internet by itself in this day and age only goes to show exactly why the US shouldn't be in control - sheer ignorance of and arrogance towards the rest of the world.

Re:None of the above

[MightyYar]

things like the DHS, Gitmo, unwarranted searches, free speech zones etc.

Of the issues you mentioned, only "free speech zones" has anything at all to do with free speech - and that is actually freedom to assemble, since the government does not sort them based on content of speech.

The fact is that the US is more free than almost any other nation when it comes to speech. The only thing we restrict is what is covered by copyright - which sucks but is pretty much on-par with most other nations. DMCA would be our most egregious infringement of free speech IMHO.

Anyhow, the fact that the US has had some human rights snafus under Bush doesn't change the fact that we're significantly freer than people in China and about a hundred or so other nations... most of which are in the UN. Free speech is all that I mentioned because, well, it's very loose in the US and other rights don't really apply to the internet.

Re:None of the above

[Xest]

Yet someone else who doesn't seem to understand what the UN actually is. I can only imagine you're making the mistake of confusing the UN security council with the UN as a whole.

The UN as an organisation consists of all but two countries in the world so yes, of course they're comprised of many nations that censor speech. They also consist of many nations that don't. The whole point in the UN is that it's an organisation that exists to oversee international systems, politics and disputes in such a way that all parties interests are covered.

You seem to be suggesting that your point of view is somehow more important of that of other nations.

Perhaps more strangely though is your suggestion that the UN shouldn't be tasked with looking after the root servers due to ineptitude in Sierra Leone and impotence in Rwanda. Can I just stop you there for a moment and point out the track record of the last 7 years of the nation that currently controls these servers?

I would much rather see an international system maintained by an international body than a nation that has shown a horrific decline in ethical and moral standards and has displayed utter arrogance towards the rest of the world in recent times. In fact, whilst you mention ineptitude in Sierra Leone by the international community one might specifically question what right anyone in the US has to say this when the US couldn't even display competence in it's own backyard during the whole hurricane Katrina disaster and now with the whole financial mess caused primarily by the US.

Re:None of the above

[MightyYar]

You're still missing the point.

Perhaps, but I think we're talking past one another.

I, personally, do not give a shit what the rest of the world's governments think about how the internet is run. In general, the governments of the world are corrupt and authoritarian. I like the internet open, free, and unfiltered/uncensored. Handing it over to the UN is not a likely way to retain those goals.

If the democratic countries of the world want to get together and decide what to do with the internet, I'd be willing to consider that - because I'd hope that a democratic alliance would mostly not try to interfere with freedom of speech.

For some American citizens to believe that this is the case and that the US should have the right to control such important systems as the internet by itself in this day and age only goes to show exactly why the US shouldn't be in control - sheer ignorance of and arrogance towards the rest of the world.

I did not say that the US should have sole control over the internet - only that the UN should not. China, Saudi Arabia, Iran, and other authoritarian regimes can hook up to it if they want, but shouldn't have any say whatsoever. They do not represent anything approaching a free people and I really do not care what their feelings are on the issue.

Re:None of the above

[MightyYar]

NATO might be able to do it. Mostly representative democracies with oodles of free speech. They might not want it, though.

Re:None of the above

[MikeBabcock]

And so long as you believe that, the three-letter agencies running your semi-secret prisons will continue trampling the rights of your fellow citizens, denying them due process and denying you your privacy.

Re:None of the above

[MikeBabcock]

The wide use of "free speech zones" came after the douchbaggery, not before - though I happen to agree that they are overkill. Just make the protesters file for a permit, pay for the extra police, get sufficient porta-potties installed, etc... no need for specific zones.

Those zones shouldn't be necessary, and the permit filing was done long before they existed by many protesters in many situations, but the governments of many western countries, the USA and Canada included have a history of provoking these protesters with their properly filed permits to make them look bad. A few bad apples mixed with a little police brutality and random arrests will lead to a bad situation quickly.

You only believe the protesters are fringe lunatics because of how they're portrayed on the news after the weirdness has erupted. Try finding a nice video of a blogger with a hidden camera at one of these protests from start to finish and you'll see what really goes on.

PS, no, their views aren't fringe, most people just don't understand the issues they stand for and therefore have no stance at all. Public protest is an excellent way to get the attention required to make the public think about what you stand for (and come to their own conclusions).

Re:None of the above

[MightyYar]

You only believe the protesters are fringe lunatics because of how they're portrayed on the news after the weirdness has erupted. Try finding a nice video of a blogger with a hidden camera at one of these protests from start to finish and you'll see what really goes on.

Nooooo... I live in NYC and have the pleasure to stroll through these protests every so often. Usually these people are what I would term professional or at least hobbyist protesters. They are largely from out of town. They tend to represent every insane cause you ever didn't want to know about. All the usuals are there, too. The free Tibet crowd, the "I don't eat this or that" crowd, the "free this wronged convict" crowd, anarchists, communists... maybe you don't consider these people fringe - but they very much are.

As I said before, I agree that the police tend to over-react but in general these things go down pretty well. You'll have 10s of thousands of people with only a few hundred arrests... and most of those are people blocking some road or walkway. You're right that only a few are violent. The walkway and street blocking people are still douchebags, even if they are being non-violent.

Re:None of the above

[MightyYar]

AFAIK, there is one "secret" prison in the US, and it is not very secret. It's bad enough that we have gitmo, don't make it sound worse than it is - you come off as disingenuous that way.

We've voted away our own privacy, and people regularly trade it away for things like discounts on groceries - so don't expect everyone to be on-board with you there, either.

Re:None of the above

[darkpixel2k]

Because the UN sucks too? It isn't a symptom of who belongs to the organization, but the very fact that it is a large organization.

No. The problem is that we are talking about trust--and the need to find one person or group we ultimately trust.

I'm sure a lot of people out there would share my view:

I have no trust in any other man besides myself.

That goes doubly so for the UN. ;)

Re:None of the above

[pyrrhonist]

You do realise the only 2 countries not in the UN are Vatican City and Taiwan?

The Holy See conducts diplomatic relations on behalf of Vatican City. The Holy See has all the rights of full UN membership except voting (by choice).

There are other nations with similar status to Taiwan that are likewise not represented in the UN. These include: Abkhazia, the Sahrawi Arab Democratic Republic, Kosovo, the Palestinian territories, South Ossetia, the Turkish Republic of Northern Cyprus, Nagorno-Karabakh, Transnistria, and Somaliland.

Re:None of the above

OMG!!! Teh Big Brotha knows I buy BANANAS!! OH NOES!!!

Re:None of the above

The fact is that the US is more free than almost any other nation when it comes to speech.

This is a joke, right?!

Re:None of the above

[Xest]

But still you do understand that at least in the case of Iran and Russia the regimes were voted in by the people their? They're happy with that leadership, I'd say it's almost certain that more people in the world dislike the US leadership than dislike the Russian leadership.

The problem is you're imposing your view on the rest of the world and suggesting it's the only point of view. I too share your viewpoint but the point is there's a massive part of the world that doesn't and you can't simply say their opinion doesn't count just because it's different to yours.

Re:None of the above

[MightyYar]

What nation allows the kinds of speech that the US does? Almost any other nation limits speech more than the US. DMCA is just about the only serious infringement that I can think of.

I'm not talking about other types of protections here - very narrowly talking about speech.

Re:None of the above

[MightyYar]

But still you do understand that at least in the case of Iran and Russia the regimes were voted in by the people their?

That is laughable. Voted in after the opposition was suppressed. In Iran you only get to choose candidates that meet the approval of the religious leadership. The women have no serious rights. They execute you for being homosexual. In Russia, Putin may have been elected originally, but he then eroded freedoms to the extent that he won't be leaving office anytime soon. Sure, he pulled a switcharoo with the offices of Prime Minister and President - but by most accounts he still seems to run the show.

I'd say it's almost certain that more people in the world dislike the US leadership than dislike the Russian leadership.

Whoopdie do. So they hate George Bush for corrupting a once-respected nation more than Putin for pretty much keeping Russia corrupt and aggressive. Ask people which country they'd rather live in. Or next to. See how nervous Canadians are vs. Ukrainians.

The problem is you're imposing your view on the rest of the world and suggesting it's the only point of view.

What? No I'm not. I'm saying, in no uncertain terms, that the regimes of places like Iran and China suck. If I lived in such places, I'd probably have been executed by now for subversion or I'd be sitting in prison as opposition.

I too share your viewpoint but the point is there's a massive part of the world that doesn't and you can't simply say their opinion doesn't count just because it's different to yours.

Actually, yes I can say that and I'm glad that I live in a place where that won't put me in prison. I'll reluctantly respect sovereignty of these places for the illogical reason that it's existed for a fairly long time, but I sure as hell won't let these people take control of something that we currently control if there is a chance that they can make it conform to their corrupt standards. My gut tells me that we should be actively helping people living in these regimes, but I don't think that's pragmatic.

Re:None of the above

[shutdown+-p+now]

To be honest, the map is rather suspect - it puts Greece, a heavily Christian fundamentalist country, at the top.

Re:None of the above

[Xest]

It's another common misunderstanding that Putin is in power because he supressed opposition.

Regardless of opposition he's still the favourite of the majority of Russian people. His supression of opposition certainly silences the opposing viewpoint but the opposing viewpoint is not strong enough to challenge Putin regardless of that supression. It's still very wrong that he does this of course, but the point is that he's still the choice of the majority of Russian people.

You're still using words like "corrupt" when referring to these other nations and this still simply makes no sense in the context of the US being the current controller of the root DNS servers because it in itself is equally corrupt - at least Putin has majority support, something that can't be said for Bush when he was elected and the vote was rigged and something that certainly can't be said now. What about the news articles this year regarding US judges seizing domain names of gambling sites? What about that of them having the wikileaks domain name taken away? It's not like the US is even limiting control to select organisations, it's allowing individual judges to censor the internet as they see fit and in the case of the gambling sites - to businesses that don't even have anything to do with the US anymore having been made illegal there whilst remaining legal in the rest of the world.

You talk about the US not throwing you in jail if you disagree with the ruling power which is great. But how do you think the Afghans feel who disagree with democracy, who liked the Taliban's regime, how do you think these people feel if they're thrown in Guantanamo for agreeing with the Taliban's way of doing things over the US' way? The same goes for Iraq.

Regarding nervousness of Canadian's vs. Ukranians, keep two points in mind. 1) Canada is also rather close to Russia also and is in dispute with it and the US over arctic territory, 2) Bolivia, Venezuela, Cuba are as equally nervous of the US as the Ukraine is of Russia, bearing in mind there are still a lot of Ukranians who would rather be part of the USSR still. You also suggest asking people whether they'd rather live in the US or Russia, well, which people exactly? If we're talking about large amounts of the population of the middle east and many in Asia or South America then I think they'd in fact tell you they'd rather live in Russia.

You have to realise that just because as an American citizen you're sat happy that your government isn't necessarily playing nicely with everyone else, isn't less corrupt than anyone else and so on. Similarly you have to realise that just because you don't like the Russian, the Iranian or the Chinese ways many of the people living there do. More importantly, what you probably don't realise is that had you been brought up under these regimes there'd be a good chance you'd be defending them as strongly right now as you're defending the US' ways.

Re:None of the above

[MightyYar]

My point isn't that the US is "better" than anyone. My point is that free speech here is freer than almost anywhere else in the world. It is in my interest that the internet remain as free as possible. We invented it, it is our gift to the world, and our baby - it is therefore our prerogative under what rules it should operate under. What bargaining position would China or Russia possible have in this? That they want control? Sorry, but I want some reasonable assurance that the internet will remain free before I'm willing to give control to countries that demonstrably do not share that opinion.

Frankly, the internet would do just fine if all of the nasty regimes of the world left and created their own and left us democracies on our own. I can't tell you the last time I did anything more than download a driver from anything but an American, European, Japanese, Indian, or maybe Australian web site.

Re:None of the above

[shentino]

I was speaking about the world in general.

And also, the patriots who broke us away from briton ages ago.

I appreciate the candid moderation, but perhaps a quick check on context.

Re:None of the above

[MightyYar]

I'm not sure where I took a wrong turn, but I must have lost you... sorry.

I happen to feel that violence and disruption can be necessary when fundamental rights are violated - though the use of violence should be the last resort, if only because you have to actually win for it to be effective.

For instance, in the 60s, the enduring images that really brought about civil rights for blacks were the peaceful protests brought down violently. Peaceful, non-violent protesters being cut down by fire hoses and men in riot gear is a powerful image. But the whole thing is undone by a few pricks with bricks. Then the police have their justification and nothing changes.

The founding fathers went for the violent route, which has been pretty good for us all. Of course, they had to overthrow the government for that to work... not a reasonable goal for the RNC protesters. Maybe some of them are deluded enough to think that the rest of the country would join in. Or maybe those people just don't really think much at all.

Re:None of the above

[MikeBabcock]

So prisons the US runs in foreign countries don't count as American secret prisons? Just making sure I understand your point ;-)

In case you missed it, its a not-so-well kept secret that the American government via the CIA uses foreign countries' facilities to imprison those it doesn't wish to have held under American rules.

Look up Extreme Rendition sometime.

Re:None of the above

[MightyYar]

No, I know about extreme rendition. Frankly, I don't see how this has anything to do with protests at the RNC, or free speech in general. I think people realize that the CIA has to play dirty, which is why we limit them to overseas work.

If it came to light that the CIA was using such tactics simply to suppress what would normally pass as free speech, then you'd be on to something.

Who to control...

[TheSpoom]

Verisign

Pros:

• Quite a bit of money, stability likely wouldn't be a problem

Cons:

• Puts a private company in control of a very, very important part of the internet
• Has previously fucked with DNS, would likely do so again if considered a wise business decision

US Government

Pros:

• Wouldn't dare let it go down since business in their country is very dependent upon it
• Puts elected officials in charge of a very important part of the internet

Cons:

• Nationalizes an important part of an international network
• Puts elected officials in charge of a very important part of the internet

ICANN

Pros:

• Has been doing this a long time
• Is a non-profit company so isn't driven by the same business needs as, say, Verisign

Cons:

• Still somewhat national

I'm definitely of the opinion that ICANN should be running it. That said, I don't know everything about the matter, so perhaps there's something that would change my mind. I figure, though, that if it's not broken, don't fix it.

Re:Who to control...

[Idiomatick]

With those 3 options ICANN it should be but wouldnt the UN or something international make sense? I'm sure the UN can find a few guys that understand DNS well. Really all you have to do 99% of the time is not fuck anything up so my pet cat could do it until something needs changing a year or w/e down the road.

Re:Who to control...

I'd agree ICANN are the least worst of the three. But I'd sure rather "none of the above", sigh. DNS totally sucks, wish there was a viable alternative (ironically, with 1TB drives now the norm, the original "copy /etc/hosts about" scheme suddenly doesn't look so bad - an /etc/hosts for _the entire IPv4 internet_ would only be a few 10s of GB).

Re:Who to control...

[TheSpoom]

The problem is that that theoretical hosts file is already split among different entities; for example, Verisign controls the .com and .net registries, not ICANN. So, if you wanted to do that, you'd have to convince all of them to give up their control.

Re:Who to control...

[jonwil]

Biggest problem is the high frequency with which DNS can change (especially for individual networks)

Re:Who to control...

[TheSpoom]

Addendum:

UN

Pros:

• As international as it gets
• Ideally not controlled by any individual country

Cons:

• Possibly more bureaucracy than any individual government in existence, would anything ever get done?
• Could lead to a tyranny of the majority, what if a block of countries wanted censorship?

I'd be interested in hearing reasons why people believe this is a good thing as well though.

Re:Who to control...

[houghi]

I think you summed it up pretty good. The thing is that the cons can be any country andf perhaps not just the countries you would think at first.

Re:Who to control...

Yeah, the UN which is totally neutral, incorruptible, and is known to be totally without bias.

Oh WAIT. THAT UN. If the idea was to get things out of the US and its control, the US funds more of the UN activies than any other state (to a huge degree).

The simple fact is, the only reason for someone to want this under the control of the UN is so they can enforce their particular brand of censorship on the whole world. Otherwise, Germany is FREE to establish its own root servers. China is FREE to establish its own root servers. No one is forcing the world to use US operated root servers. But they do so, because it is convenient, cheap, and useful.

Want to guarantee fragmentation of the internet? Give control of all root servers to a organization in which China has significant voice. Oops! They're censored and no longer useful. The rest of the world moves to implement its own servers, JUST LIKE THEY'RE FREE TO DO NOW.

Re:Who to control...

You're going to pick the most corrupt huge organization, that has the least oversight? You're fucking retarded! I don't trust the UN, and ICANN has already demonstrated that they're bought by large corporations. Verisign is evil, that leaves the not as corrupt American government, and hte NTIA appears to do a decent job at what they do.

Re:Who to control...

[houghi]

US Government
Pros:
Puts elected officials in charge of a very important part of the internet

I would put that on the con side. I rather have a person who knows what he is doing in charge and not so much somebody who is popular and knows how to play the electoral game.
Also they are elected by a minority of the users.

Re:Who to control...

[TheSpoom]

I would put that on the con side.

I did, if you noticed. :^P

Re:Who to control...

[Idiomatick]

American government? AKA the place that made the patriot act? I really doubt internationally anyone has faith in the US government. Buuut you are probably just flamebaiting me.

Re:Who to control...

American government? AKA the place that made the patriot act? I really doubt internationally anyone has faith in the US government. Buuut you are probably just flamebaiting me.

Okay, now how about some reality. What has the United States done to or with DNS that you find so objectionable? Besides, I suppose you'd rather have China or Russia run the show, outfits that have a far worse track record on, well, pretty much every relevant score than the U.S. Regardless, your anti-American sentiment is pretty obvious but the truth is, you don't have to like someone to admit they've performed well.

Re:Who to control...

[C10H14N2]

ICANN IS INTERNATIONAL.

Re:Who to control...

[omnipresentbob]

Addendum to the addendum
UN

Cons:

• It's the UN

Re:Who to control...

[Suzuran]

They ALREADY want that, which is why Europe, Russia, and China are all working on GPS replacements.

Re:Who to control...

Cons:
Notoriously as corrupt as the US government.

If you want shiftless layabouts to manage it, ICANN is probably still the best option.

Re:Who to control...

Yeah, we all see how wonderfully that's working out... only 25 years behind!

25 years of free global navigation. You're welcome.

Re:Who to control...

[Matje]

ah yes bob. Thank you for the well laid out argument. And good job mods, for marking it +4 Insightful.

Re:Who to control...

I know, let's give it to Canada!

Re:Who to control...

[TheSpoom]

CAPS LOCK IS CRUISE CONTROL FOR COOL.

(even cruise control [and slashdot filters] you still have to steer)

Re:Who to control...

[mgoren]

Why in the world would they give it to Verisign? I thought we were trying to move away from Verisign controlling anything other than .com (and I guess .net too)?

Re:Who to control...

American government? AKA the place that's attempting to secure this in the first place? Yeah, can't trust those guys. Maybe people who complain about the US "controlling the internet" should simply not access US-based sites. Oh wait, that's quite a bit of the internet. Hmm.

Re:Who to control...

[jhol13]

It does not really have to be the UN, it can be a non-profit organisation (legally) under UN. This would mean, of course, that those running it would get a huge power ... but they could not (would not necessarily) be persuaded to change policy by any government or lobbyists.

That would get rid of the bureaucracy and tyranny of majority, but could lead to tyranny of minority.

How that would work out in practice would be interesting experiment, to say the least. Whether trying is worth the risk ... well, let's just say that one would not cost 700 reallybigones :-)

Re:Who to control...

[TheSpoom]

See, I thought about that too, but then I thought... well, that's basically ICANN.

Re:Who to control...

[digitig]

Latest I can find for UN payments is 2005 figures; I wouldn't call the difference between $423M (USA) and $375M (Japan) all that huge a degree. And is the USA actually paying its dues now? In 2005 it owed almost a billion in unpaid dues.

Re:Who to control...

[TheSpoom]

On behalf of Canada, I accept.

*gives himself a TLD for the hell of it*

Re:Who to control...

[Tanktalus]

When the OP talks about "funding the UN", he's not referring to dues. He's talking about actually paying for the activities of the UN, such as troops on the ground in hotspots, which many other countries are unwilling to do.

Of course, there's still a fuzzy line there - sometimes it can be argued that the US is just using the UN as a cover for their own activities (e.g., trying to get the UN to authorise an invasion of Iraq, then the entire Iraqi war would be considered a UN mandate, and thus count toward "US funding the UN"). Trying to separate this out, though, is a futile effort. No matter what methods you use to try, there will be wide disagreement.

Re:Who to control...

[Tanktalus]

Oh, no you don't. We don't want you blaming us AGAIN if something goes wrong.

Re:Who to control...

[Tanktalus]

How about ISO?

(duck!)

Re:Who to control...

[operagost]

It does not really have to be the UN, it can be a non-profit organisation (legally) under UN.

Yay! Another oil-for-food scandal!

Re:Who to control...

You also need to consider the financial troubles of the US, which are certain to have far-reaching, unforeseeable consequences.

Putting what is essentially control over the Internet into their hands isn't necessarily a smart thing to do.

Re:Who to control...

That was my point - the UN is in no way independent of the US. In terms of its financial contribution and the military clout that said finances fund, the UN run DNS would be just another UN agency for the US to manipulate if necessary.

A UN run root server system offers no real positives, and comes with a crap ton of negatives. If the ICANN run root servers are SO horrible, any country out there is free to RUN ITS OWN.

Re:Who to control...

Both of these are flamebait? When did it become to taboo to have a little patriotism?

Sure, Dubya's an idiot, but these national investments occurred when Americans weren't nearly as hated. Dubya wasn't president at the time, so why not be a little proud of what your tax dollars paid for?

I'm not expecting everybody worldwide to kiss our ass or give us money, but come on, give a little credit where credit is due. Without the bottomless pit of US defense spending, there'd be no GPS nor internet. Period.

Re:Who to control...

[Random+BedHead+Ed]

I know www.thespoom is probably taken, but is ed.thespoom still available?

Re:Who to control...

[jc42]

UN ... # Could lead to a tyranny of the majority, what if a block of countries wanted censorship?

The rest of the Internet would just route around it.

Re:Who to control...

[jhol13]

ICANN is 100% ruled by USA laws and lawyers. In every case ruling who should own "foo.com" it _will_ rule for the USA company. Not good.

Re:Who to control...

[MikeBabcock]

We already have .CA and its fairly well-managed too. We don't have all those strange domain hijackings and hijinx going on here because of how the registration system is managed.

Re:Who to control...

[cpghost]

Could lead to a tyranny of the majority, what if a block of countries wanted censorship?

Which could happen all too fast and is really evil! Russia having a grudge with Georgia? Out goes the .ge ccTLD. The US having an issue with Iran? Out goes the .ir ccTLD. The Arab bloc having a problem with Israel? Out goes the .il ccTLD. And the list goes on and on and on... Good bye single root model and welcome multiple (disagreeing) roots?

Re:Who to control...

> Possibly more bureaucracy than any individual government in existence, would anything ever get done?

That sounds like a "pro" to me.

FWIW, I think that the ITU (which would be the obvious UN body to deal with this) is the least bad solution.

Having the root zone controlled by the US or an entity subject to US national laws (i.e. Verisign, or ICANN as it stands) is a non-starter. Either it needs to be the ITU, or ICANN needs to get status as an intergovernmental organisation (which probably means relocating to Geneva or The Hague).

Ultimately, it isn't as critical as a lot of people make out. The USG unilaterally hijacking the .iq domain is one thing, but if it tried to do likewise to a developed nation, ICANN/Verisign would quickly find that they were running an "alternate" root, with the rest of the world on the "real" one. Needless to say, the large multinationals which own the USG aren't going to be very happy about having to grab (or even fight for) their domains all over again in the new DNS.

Re:Who to control...

[TheSpoom]

Yeah.

Having control of the root zone would let us give ourselves more TLDs.

Basically, think of it as having control of one level up from TLDs, a hidden . at the end of every domain (like slashdot.org. - not the dot at the end).

Re:Who to control...

[TheSpoom]

I was thinking of having i.spoom, for that Asimov feel.

Ah, screw it.

[Rob+T+Firefly]

I vote we just give it to Cowboyneal.

I believe DNSSEC is unnecessory...

[nweaver]

I believe DNSSEC is unnecessary to counter the Kaminski attack.

See draft-weaver-dnsext-comprehensive-resolver-00 for how I believe you can secure resolvers against attacks less powerful than MitM, including Kaminski (race-until-win) attacks.

Re:I believe DNSSEC is unnecessory...

[spinkham]

I have not fully digested your draft, but I believe you are right. There are many proposed solutions that shore up DNS somewhat, as long as our random number generators are strong. That has traditionally proved difficult, and the random number generators have been the primary attack point time and time again. I also think that creating the solution by only looking at recent DNS attacks is short sighted. DNS has the possibility of becoming so much more then it currently is, if we can trust it.

We have leverage to push for a secure system now. After this crisis is adverted, we will have to live with whatever we create for a LONG time. I for one vote fixing it in the strongest way available. Why not push for the one that gives a true, auditable PKI that can be used to secure the worlds most distributed database?

The potential for a secure DNS goes way beyond just name lookups, it can enable stronger trust in SSH, opportunistic IPSEC, strong email encryption and spam fighting technologies, and many more things that have yet to be created.

If it's "almost secure" against "most threats" we don't get the benefits of a comprehensive PKI.

DNSSEC is a pain in the butt, I realize that. It also has the potential to revolutionize how we use and secure the Internet. For me that trade-off is worth it.

Re:I believe DNSSEC is unnecessory...

[nweaver]

Unfortunatly, I disagree. The problem is DNSSEC is about securing DNS from in-path (MitM) adversaries. But in almost all cases, a DNS MitM can also be a MitM on the application.

If the application resists a MitM, it never trusted DNS anyway.

If the application doesn't resist a MitM, that the DNS resists a MitM is irrelevant.

Thus the net marginal increase in system security that DNSSEC offers is suprisingly low in my opinion, and our objective should be securing out-of-path resolvers against all adversaries SHORT of a man-in-the-middle.

Re:I believe DNSSEC is unnecessory...

[spinkham]

I believe you missed what I said, or at least what I intended to say.

DNSSEC enables using DNS as the method of protection from MITM for other applications.

With DNSSEC you can distribute your SSH fingerprint in a signed DNS record. That would enable your application (SSH) to have a secure connection that can even withstand a MITM attack as long as you can verify the DNS signing keys, irregardless of whether or not you've ever connected to that server before.

The same sort of system can be used for email signing keys, IPSEC keys or anything else you want to distribute in an authenticated fashion.

I agree that DNSSEC to enable secure DNS alone is overkill. If we were only fixing what we have, I'd do it your way. What I believe what you are missing is the potential a secure, distributed, scalable database founded on a robust PKI could have on how we interact with each other.

DNSSEC is more then just a way to keep people from redirecting you from www.google.com to evilsite.com, it's a technology that can be used to enable authentication and trust on an Internet wide scale. It is a game changer, and gives us something we never have had before.

I agree that your plan would mostly shore up DNS, but we would miss the opportunity we have to create something so much larger then simply the internet phone book. DNSSEC has the potential to bring sweeping change to our industry, and much greater security to all of our lives.

Re:I believe DNSSEC is unnecessory...

[nweaver]

Then all DNSSEC is is Yet Another CA Infrastructure.

And if you want an integrity-assured object store, why use DNSSEC? INstead, build an alternate application protocol that doesn't have silly record limits and the like in it.

Re:I believe DNSSEC is unnecessory...

[spinkham]

HTTP sucks too, but we use it because we all use it. Whatever we want to build gets a http implementation simply because everyone else uses it and understands it, and interoperability is king. In fact, a web service like http/SSL implementation is the only other real contender for a large scale PKI that has a snowball's chance in hell of being adopted. If DNSSEC fizzles out, I'll try that way.

DNSSEC is the best shot we have at world scale PKI because it's an incremental add-on to something we already have, and solves a real problem that exists in DNS at the same time. It is the most robust way to shore up DNS for the long term against all non-DOS attacks. (DNSSEC makes DOS easier, and fails horribly on that count. Elliptic Curve Crypto will help somewhat by shrinking key size vs RSA based keys)

Yes, it will be "just another CA infrastructure", but is the one shot we have in the near future at getting such a thing deployed globally.

Yes, DNS is not the ideal CA infrastructure, but it's the best one that has a chance at life. We want to secure DNS, and on the side we get global PKI almost for free. We're not going to get this kind of chance again for a long time.

I'd vote ICANN

[K3ba]

But in the end, who really cares who signs it now - what can be signed once, must be able to be signed again (especially if there is a validity period of the signature), and if the signatory needs to change in the future then it can be changed then. Delaying the signing process is counter-productive, as procrastination in this regard only helps the hackers and not the greater unwashed masses who don't know they need this process to be completed in the first place... Maybe they should ask for comments _after_ they have told us the first signatories name. They will get comments then regardless of who they choose ;)

Re:I'd vote ICANN

[afidel]

How about the operators of each Root server signs their own copy of the root? That way if one entity implements policies that you don't agree with you simply remove them from your hints file. There's a reason there's multiple root servers and putting the signing authority in the hands of one entity inherently makes the system less diverse and fault tolerant.

Re:I'd vote ICANN

[DavidTC]

I don't understand why we just don't have each country sign each TLD, or whatever.

Frankly, no one's going to be checking that the .com key is signed by the . key. They'll have the .com key cached, check the signature on each .com DNS looked up, and only worry about the . key if the .com key changes.

Granted, I'm not entirely certain how DNSSEC is supposed to work in the first place.

Re:Hmm... MS-B-DNS

[aproposofwhat]

Or there could be the Apple version - "BrokebackDNS" :P

4th option

[SkunkPussy]

Verisign is absolutely unsuitable.
ICANN is not a neutral body.
US government is not suitable.

who should it be?

Re:4th option

[PinkyDead]

Hong Kong Phooey?

Cant Do it.

[140Mandak262Jamuna]

Wall street has already sold 22 trillion dollars worth of Root Zone Default Swaps. If Govt took control of the root zone file without buying those toxic assets the whole solar system will collapse into a black hole. We need to urgently pass legislation to tax US Tax payers to the extent of 22 trillion dollars and find a young private sector vice president and appoint him to manage the distribution of the goodies without any possible legislative, judicial or administrative review or oversight.

Re:Cant Do it.

[DavidTC]

I wonder if we could sell the DNS root zone to the Chinese to cover our bills until next month.

It doesn't have to be just one player

[jonaskoelker]

How about using a threshold signing scheme?

Here's the ten kilofoot view: each participant p_{1..n} gets a piece of the key. If least t of them (for some 2 <= t <= n) cooperate, they can produce a signature on the input message.

It is widely held that separation of power into legislative, executive and judiciary is a good thing. Here, the roles would be symmetric, but you still get the benefit of no one body of people (or single person) being in control.

Here's an interesting thought: include some of the root server operators in the decision. I haven't done the formal proof, but my understanding is that it'd be simple to create weighted threshold schemes, such that if ten of the $n roots all agree, that counts as one "vote" in the usgov-icann-verisign calculation [just apply some general secure Multiparty Computation protocol to the computation of RSA-signing with Shamir secret shares of the private key]. And, as your child poster says, you may want to include the UN. Not being a citizen of 192 sovereign nations, I don't like the idea of any one nation having a disproportionately large influence over critical infrastructure, should we come to rely on a signed root zone [note: we don't now, because it isn't; that may be useful to put this issue into its proper perspective, or not...].

But no matter who the eligible parties are, I don't think any one of them should be in exclusive control. Use a threshold signing scheme to distribute the power.

Re:It doesn't have to be just one player

[I'm+not+really+here]

The problem with this statement "I don't think any one of them should be in exclusive control" is that this network was initially created for the sole purpose of protecting the swift transfer of data should a nuclear attack hit the US of A. It's gotten beyond that in a major way, but it started in the US, so I can understand why the US would want the keys.

Though at this point, I don't think any solution that gives any one person the literal key to the internet is a good one, so, on that point, I agree - find a way to split it up so that no one entity has it, and it requires cooperation to change it. How would this impact simple host creation and DNS transfers though?

Note: Though I'm tech savvy, it is not as an expert in the area of DNS.

Re:It doesn't have to be just one player

[wiz_80]

The problem is that this scheme might work now, but it is not very future proof. How would you avoid the issue of Participant A borging participants B through T, thereby owning enough pieces of the key to do whatever they want, no matter what Participants U through Z have to say?

This might happen with private organizations (companies get bought) or with states (Russia takes over Georgia's piece of the key, just going on what's in the news).

I think ICANN is still the least bad choice. Somebody has to be the ultimate arbiter, and at least ICANN's fights so far have been confined to ICANN. It has not become a bargaining chip in bigger fights, which would be almost guaranteed with organizations such as the UN.

Re:It doesn't have to be just one player

[TheSpoom]

In reality, it wouldn't affect too much of the normal use of the internet. Basically, whoever has control of this has control of creation and modification of top-level domains, like .com, .net, and .org, to a certain degree, in that they could enable or disable them, but not modify them directly (unless they disabled them and created their own modified version).

In theory, they could bring down the internet with such access though, so it is something worth serious consideration.

Re:It doesn't have to be just one player

[jonaskoelker]

How would this impact simple host creation and DNS transfers though?

If the root is handled well, not at all. All that happens at the root zone is the creation and deletion of TLDs. Anything sub-TLD is handled by the entity(ies) responsible for their respective TLDs (such as Verisign, DK-Hostmaster or what have you).

If Verisign is the steward of both the root (in whole or in part) and the .com zone, they may be able to play tricks on us, but I'm not sure what those tricks are. Also, bear in mind that what we're (most likely) talking about isn't that you won't get a name, it's just that you'd get a name that does the same as names do today, no more no less.

Re:It doesn't have to be just one player

[jonaskoelker]

General Multiparty Computation protocols can be secured against strictly less than one third of the players being corrupted; corrupted here means that it deviates from the protocol, for instance by telling its secret to some other player because it in practice is under the control of the other player.

The simple version of how to handle it is that whenever someone deviates from the protocol, the honest parties reassemble the secret key and compute a new secret sharing; that is, everyone gets a fresh chunk of private key.

It should not be difficult to combine chunks into the secret key, and then reshare it with a new sharing structure; that is, when $NEMESIS takes over $LACKEYS, you don't give chunks to the lackeys, and can still require a the same fraction of the remaining fewer players to agree in order to sign.

But there is a political game to be played as well; what happens when everybody consolidates into Oceania vs. Eurasia and so forth. I'm not a political major, so I don't have any recommendations I can back up with anything but what every lay person knows.

That being said, distribute power as much as possible. When ever a player drops from the game, have the remaining players appoint a temporary replacement. If you need to invest ultimate authority in a single entity, invest as little as possible, and try to restrict its authority to matters of procedure rather than dealing with the subject matter. That still lets the ultimate authority nominate (and then who cares about what the voters choose), but it's a problem that has 192 different ongoing solutions; I'm an optimist, so I'll arbitrarily say that the risk of this going to pot is slim.

Re:Hmm... MS-B-DNS

Ha ha. I get it. Macs are gay. Ha ha.

Switzerland!

http://en.wikipedia.org/wiki/Switzerland

But surely

[Richy_T]

this isn't like the web where it helps (but is still far from ideal) to have a few central authorities who sign certificates for many entities? This sounds like it would be more of a central thing. Why not just self-sign and publish the key fingerprints in papers, journals and whatever?

ANYONE BUT THE GOVERNMENT

[wudukes]

God they are so inept and currupt What about ICANN?

Service your implementation

[SleptThroughClass]

"This is in service of implementing DNSSEC"

I in service to knowing what you say.

Give the keys to Jon Postel

[davidwr]

I can't think of anyone more qualified.

Yes, I know he's dead, but I still can't think of anyone more qualified.

Re:Give the keys to Jon Postel

[Tacvek]

Holding the root zone key is by definition part of the function of the IANA (one of Jon Postel's many jobs back in the day.) The IANA is the organization that manages the root zone. It has always been that way.

Since ICANN (or rather one internal division of ICANN) is currently the IANA, they would control the keys.

If a new IANA is appointed (and approved by the Internet Architeture board (who must approve any IANA appointment, since the maintains the registry of Names and Numbers assigned in the RFCs on behalf of the IETF)), this new IANA would be in charge of the Root Zone, and therefore be in charge of Root Keys.

Jon Postel would probably want it this way, although not knowing the guy personally, I can't be sure of that.

Lame choice is no choice

[Daimanta]

"On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root -- ICANN, Verisign, or the US government's NTIA."

ICANN: Organisation situated in the US, can be heavily influenced and controlled the US government
Verisign: Private company that is only interested in profit and is situated mostly in the US thereby it can be heavily influenced and controlled the US government
NTIA: US government

CHOOSE: US, US, or US

American election time!

Verisign?

[neowolf]

I can't wait if they get it... Within a couple of years we will all have to start paying for DNS queries. Of course- they will offer to allow your query for free if they can insert ads into every site you go to.

It doesn't HAVE to be one signature

[elfguy]

DNSSEC already has provisions to use a multi-signature key, where many organizations each sign it, and these parts are used to make one global key, so that no one person or organization is owner of the root zone file. It doesn't have to go like that.

Re:It doesn't HAVE to be one signature

[mrsbrisby]

It has to be one signature, however, for a practical reason: The top level domain zones change every hour. You're not going to get a dozen organizations to sign off on each of those changes every hour, in any practical or meaningful way.

Re:It doesn't HAVE to be one signature

[Nigel+Stepp]

I follow you if we are talking about the top level domains, but this is for the root zone (i.e. "."), which I don't think has this problem. The root zone servers are controlled by different entities around the world anyway.

I assume Verisign will control the key for .com, and so on.

Re:It doesn't HAVE to be one signature

[Intron]

The dumbest statement in the article is: "The only known complete fix is DNSSEC".

There is still the tradeoff between signed DNS information and who you trust to do the signing. I agree that they can get the root servers signed ok - its a small list and doesn't often change. What happens when they get to the millions of second level domains? Do they really think they can guarantee authentic signed DNS records for every .com domain out there? Good luck with that. They are going to have automated systems to update the information and somebody is going to figure out how to get in and modify records, most likely an inside job at the registrars.

GPS?

Lets hide the key somewhere and let the geocachers find it. First one to find it wins

Terrorism

[SmarkWoW]

Not that I blindly trust the US government but certain issues need to be taken into account if we're prepared to fully trust a private company to do this...

Terrorism seems to have become a big thing in the US. How do companies like ICANN and VeriSign propose to protect such a crucial part of the internet from a potential attack? Consider both a physical and virtual attack.

Re:Terrorism

[cpghost]

How do companies like ICANN and VeriSign propose to protect such a crucial part of the internet from a potential attack? Consider both a physical and virtual attack.

Oh please, all this terrorism scare is getting old. Virtually, the root servers have been already subjected to a lot of quite heavy DDoS attacks, and they managed quite well, thanks to the Unicast infrastructure, and sufficient allocation of server resources. Physically, the root servers are just as secure as other important servers, namely in regular data centers around the world. What could some terrorists do here? Blow-up one data center? So what? Big deal: DNS will still work flawlessly because of redundancy.

Remember, the whole Internet infrastructure was designed in such a way that it would route around wholly nuked areas and still continue to function. If even nuclear powers can't wholly dismantle the Internet through the use of brute force, a little bunch of petty terrorists would not make a small dent into the global infrastructure (and not into the DNS infrastructure either), as it currently stands. That's the beauty of the Internet as a network designed with military resilience from the beginning.

Oooh, I know

[RalphSleigh]

Give it to the EU, then just hope you never need anything changed.

It's only the DNS root, nothing critical to the internet working like IP address allocation or proper routing.

You, sir, are evil and twisted.

[Crazy+Taco]

Countries like the USA, you mean? Seriously, did you ever try to protest at an RNC, for instance? I did, and I can tell you that it sure makes you wonder exactly which nation you're in, anyway.

Right, and those of us from Minnesota know ALL ABOUT your protests at the RNC. Let's see, at this year's RNC in Minneapolis we had mass rioting, bricks thrown through windows of business and destruction of property, an attempted bus-jacking, fires, attacking of delegates from multiple states, throwing feces and urine on delegates, attacking police officers and a vast number of other crimes.

In the pre-RNC raid by the Ramsey County Sherriff's department of the "RNC Welcoming Committee" apartments, police found molotov cocktails, nail bombs, gasoline tanks and other explosives, buckets of urine and all variety of other ordnance. Despite these raids, numerous people were still injured by these people during the riots. Even the liberal mayor of St. Paul applauded the actions of law enforcement and the excellent job they did it keeping the carnage from getting worse.

So, the only thing that makes me wonder what country I'm in is that fact that depraved idiots like you are running around lose. People like you are lower than low, defending these tactics and smearing the law enforcement officers. These were not "peace protesters". These were terrorists and anarchists by anyone's definition, and no quarter should be given to them. And frankly, no quarter will be given to you either. You, luckily for you, are given the right of free speech by the rest of us true American citizens, but I will not stand by and let you spew your garbage and hate without reminding others what really happened in Minneapolis at the RNC. People like you are truly evil and immensely twisted and warped if you can defend any of the violent activities the went on during the "protests" (read: riots). And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.

Re:You, sir, are evil and twisted.

[cptgrudge]

As another citizen of Minnesota, the parent speaks the truth. I'm all for free speech, but what these "protesters" were doing was attempting to disrupt the political process and infringing on OTHERS' right to free speech.

Re:You, sir, are evil and twisted.

[Sancho]

So arrest those people. Don't arrest the ones who are peacefully protesting.

Re:You, sir, are evil and twisted.

[boast]

"Your kind have no place in a free and peaceful democracy. " where is this, exactly?

Re:You, sir, are evil and twisted.

[raddan]

People like you are truly evil and immensely twisted and warped if you can defend any of the violent activities the went on during the "protests" (read: riots). And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.

Not moderating myself here, because I feel that something needs to be said about this. How does this shit get modded Informative? The world is a complicated place, you know. It is entirely possible that both violent protesters and overzealous police exist. Both you and the OP make vast oversimplifications.

Are you not aware that protest is a protected form of speech that is essential to democracy?

Mods: shame on you.

Re:You, sir, are evil and twisted.

[MasterOfMagic]

Imagine a world where rioters and peaceful protesters are separate. Nobody is denying that there were rioters at the RNC. Rioters should be arrested. However, peaceful protesters were caught in the crossfire and arrested. If you think that these people should be exiled because they disagree with you, then you are no true American.

So, the only thing that makes me wonder what country I'm in is that fact that depraved idiots like you are running around lose. People like you are lower than low, defending these tactics and smearing the law enforcement officers...And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.

Heil Crazy Taco and his ability to judge who is a true American and who is not.

Re:You, sir, are evil and twisted.

[riceboy50]

you are running around lose

Nooooo! Finally a time when the often misused loose would have been the correct usage. How could you break my heart by using the wrong word here?

Re:You, sir, are evil and twisted.

You're exactly right. People who organize protests need to be infiltrated, intimidated, and beat down. We don't need dissent here, it's not American. A small anarchist group that slashes tires and breaks windows SHOULD give cops the excuse to charge unrelated people with terrorism.

I, too, believe 7-8 years in prison is an acceptable punishment for breaking windows.

You motherfucking fascist. I'll bet you bitch and moan when China does the same thing, yet support it here.

For any reader's information: The "buckets of urine" is a LIE. The molotov cocktails? True; there was that nutcase. Nail bombs? Nope. "Gasoline tanks and other explosives"? I'm sure they found a gas can in a house somewhere. Otherwise, bullshit. "all variety other ordnance"? Yes; they found some slingshots.

So, to sum it up: out of +13000 peaceful protesters, 200 anarchists planning to blockade traffic by slashing tires (and stupidly breaking shop windows) and one nut who thought it was a good idea to bring Molotovs to the party == they were all anarchists and "deserve no quarter". Apparently, the cops should beat and intimidate them all for questioning anything, even those who did nothing wrong.

You'd be better off in Pakistan. Except you're probably a fundamentalist CHRISTIAN authoritarian, not a fundamentalist MUSLIM authoritarian. All things considered, although y'all would like to kill one another, the two groups have much more in common than not.

One more thing: If you think a few dumbasses should tar everyone around them with the same brush, YOU are not a "true American" even though you like to claim it.

Use your brain, moran.

Re:You, sir, are evil and twisted.

Yes; they found some slingshots.

 

The evidence also included some rocks.

Re:You, sir, are evil and twisted.

[FireStormZ]

I third this (Eagan) and I completely avoided St. Paul when they started throwing crap onto buses and cars from overpasses. My Cousin went in on the last day and peacefully protested there was no trouble for people who were organized in peaceful exercise of their first amendment rights, it was the morons attacking cops and delegates that got arrested.

Re:You, sir, are evil and twisted.

[FireStormZ]

For the most part that's what happened, there were about 700 arrest do you really think there were only 700 protesters? there were thousands upon thousands of protesters (probably upwards of 10K).

Several people were arrested for an 'illegal march' meaning they were blocking traffic because they decided to march in a place for which no permit was issued and they would not disburse.

Re:You, sir, are evil and twisted.

http://blogs.citypages.com/gop/2008/09/rnc_riot_trip_r.ph
I do not have an account, but while you are not giving any sources, all I found when searching for riots are pictures of people sitting aggressively...

Re:You, sir, are evil and twisted.

You were modded informative? Your post is just hateful garbage

You, luckily for you, are given the right of free speech by the rest of us true American citizens, but I will not stand by and let you spew your garbage and hate

Three things. The right to free speech is not given by anyone - it is an inalienable right. If you're "giving" him the right to free speech, why are you then trying to abridge it? It's not just a figure of speech where you try to correct his view of what happend during the RNC:

And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.

Another question I have is why exactly you are demonizing the above poster - you have absolutely no evidence that the poster had anything to do with the riots. Are you trying to insinuate that everyone who protested at the RNC or defends protesters is "evil and immensely twisted"? I certainly didn't read the gp say he was for violence.

From the NY Post

10,000 antiwar protesters rallied outside the Republican National Convention yesterday - with calls for peace shattered by violence from a small group of anarchists.

Police said Tuesday they arrested 286 people during Monday's event. Most of the estimated 10,000 people in the march were peaceful, but small groups that police said numbered about 200 broke windows, slashed tires and harassed delegates.

So, even if we're generous with the figures, 1000 people(10%) actually inflicted damage, you want to actually punish 9000 (90%) people in retaliation. Just wow.

Re:You, sir, are evil and twisted.

[MikeBabcock]

So, the only thing that makes me wonder what country I'm in is that fact that depraved idiots like you are running around lose. People like you [...]

I believe that's exactly his point. The USA is supposed to stand for the freedoms of all people, no matter how you feel about them.

Standing all high and mighty and believing that you somehow have more of a right to your opinion and behaviour than they do, and more importantly, dividing people into "people like me" and "people like you" is bigotry and shouldn't be tolerated any more than feces throwing -- but I'll grant you the right to have your opinion, if you grant me the same.

Of course, what do I know, I'm from that big ice sheet to the north.

Re:You, sir, are evil and twisted.

[Crazy+Taco]

The world is a complicated place, you know. It is entirely possible that both violent protesters and overzealous police exist. Both you and the OP make vast oversimplifications. Are you not aware that protest is a protected form of speech that is essential to democracy?

And are you not aware that only peaceful protest is a constitutional right essential to democracy? Allow me to quote the first amendment (emphasis mine).

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

I was very clear in my post that I was talking about violent rioters, not saying people shouldn't be allowed to assemble peacefully. Only peaceful protest is essential to democracy, and in fact, it can even be extended to say that only peaceful protest is compatible with democracy. Violent protest (like what this was in Minneapolis) is clearly anti-democratic, because it is all about suppressing the democratic rights of others.

We could actually make a game out of this. I can spot several different things in the constitution the violent rioters were trampling on. How many more can others add? So far my list includes at least two from the first amendment they supposedly support: the right to peacefully assemble and the right to free speech, because they attacked other protesters they didn't agree with, as well as delegates who were peacefully assembling with views different than theirs. Clearly, while peaceful protests benefit democracy and add to our rights, violent "protests" take away everyone's rights.

Mods: shame on you.

Shame on you for not grasping the difference between a peaceful protest and an anarchic riot, and somehow equating the two.

Re:You, sir, are evil and twisted.

the only thing that makes me wonder what country I'm in

I say we ship over 150,000 Iraqis to the USA and give them access to the sorts of equipment the US Army has been using in their country... you'd soon stop whimpering about a couple of hundred wannabe anarchists.

Re:You, sir, are evil and twisted.

[raddan]

And which part of the AC's post condones violent protest?

DNSSEC versus DNSCURVE

[mrsbrisby]

DNSSEC is a protocol similar to, but not compatible with DNS. It is difficult to deploy and requires much more powerful hardware than current DNS servers otherwise require. DNSSEC offers no security guarantee unless DNS is completely replaced with DNSSEC.

dnscurve, on the other hand, is fully backwards compatible with DNS, would be dead-simple to deploy, requires a fraction of the computing power than DNSSEC requires, and it can be deployed incrementally.

Re:DNSSEC versus DNSCURVE

[Todd+Knarr]

Except that DNSSEC is DNS. Period. It isn't compatible with DNS, it is DNS. It simply adds some additional records that aren't normally present that a DNS server or resolver can, if configured to, use to verify that the responses come from a valid server. It's not difficult to deploy, all current DNS servers already implement it so it's already deployed. What's difficult is the process of generating the signature chains, since the validity of the signatures at any level depends on the signature chain back to the root be intact and valid. So, if I have silverglass.org signed, the com and root domains also needs to use DNSSEC and sign their records before the DNSSEC records on silverglass.org can be verified.

Note that the signature chain's the critical part. The first question that needs answered, before you can validate any response, is "What's the correct, valid key I should verify this domain's records with?". Fail to solve the problem of answering that question securely, and the system's not secure regardless of anything else it may try to do.

Re:DNSSEC versus DNSCURVE

[klapaucjusz]

dnscurve

Note that DNSCurve and DNSSEC solve different problems. DNSCurve secures that communication channel, where DNSSEC secures the actual data.

I'm definitely no security specialist, but I would reckon that securing the data is more useful, while securing the channel is easier, and hence has a greater chance of actually being deployed.

Compare this to the e-mail situation. PGP secures the actual mail message, while SMTP over SSL secures the communication channel. SMTP over SSL is widely deployed, while PGP is unknown outside of some geek circles.

Re:DNSSEC versus DNSCURVE

[mrsbrisby]

It simply adds some additional records that aren't normally present that a DNS server or resolver can, if configured to, use to verify that the responses come from a valid server.

Wrong. It adds some records that are garbled by firewalls and truncated by small links. It pretty much guarantees a TCP-switch-up requirement, and is incompatible with existing forwarding caches and clients.

If my laptop supports DNSSEC, and your server supports DNSSEC, then my ISP's cache has to support DNSSEC, as well as the cache on my router.

With DNSCURVE, existing DNS infrastructure- including it's bugs- can carry the relevant information because it's encoded into specially coded NS records.

You think that because the single most popular name server codebase includes DNSSEC then most of the devices that utilize DNS somehow support it. You are completely and totally wrong about this, and you, nor Paul, will ever convince everyone to replace every piece of hardware and software on the Internet.

It's 2008 and there are still sites without MX records, and firewalls that still muck up ECN traffic. There's no way you can completely replace one protocol with another, and DNSSEC is, for the purposes of firewalls and dns caches, a completely different protocol.

if I have silverglass.org signed, the com and root domains also needs to use DNSSEC and sign their records before the DNSSEC records on silverglass.org can be verified.

No. Silverglass.org might be possible to verify. A filtering dns proxy could remove all identity information; should clients refuse to visit silverglass.org because no DNSSEC information is available? No filtering proxy would be possible in the DNSCURVE case.

What's difficult is the process of generating the signature chains,

That's what Paul has said for over a decade and DNSSEC isn't here yet. DNSSEC is brought on by the same mismanaged planning that is fucking up IPV6. Making it more complicated for existing (possibly broken; possibly forgotten) devices doesn't make it easier.

Re:DNSSEC versus DNSCURVE

[mrsbrisby]

Note that DNSCurve and DNSSEC solve different problems. DNSCurve secures that communication channel, where DNSSEC secures the actual data.

Look at this comparison. DNSSEC doesn't provide any confidentiality, but DNSCurve and DNSSEC both (theoretically) provide data integrity- the securing of the data- it's just that DNSCurve does it better.

DNSSEC has one benefit (in my mind), and that's that DNSSEC turns a MITM-attack vector into a "mere" denial-of-service attack (see Integrity despite corruption of one's own computers). This seems contrived to me, being as how sites big enough to be interesting targets for this kind of attack, could detect the failure trivially.

ICANN should...

The US goverment would use it to limit and controll the root name servers, and Verisign would just keep putting the price up year on year.

ICANN might not be too independent from the US, but they are at least slightly independant.

Verisign = US Government

[k1e0x]

Verisign preforms intercepts for the NSA. (how exactly they do with with pub/private key is unknown to me.. perhaps they have a copy of the private key).

http://wikileaks.org/wiki/Cox_Communications_Interception_Request_Worksheet_2008

I think it is absolutely a danger to freedom on the internet to have any Government in control of DNS.

Not US, UN !

[wimg]

Give it to the UN, not just 1 country.

Regardless who once invested the money to build Arpanet, the Internet is no longer owned by a single country.

Using the argument 'the US built it'... well, that means Americans shouldn't own the right to use the train, make a phone call, use a petrol engine, etc...

The only right solution is to give international control to all internationally used technologies.

Re:Not US, UN !

[cpghost]

Give it to the UN, not just 1 country.

You mean to an international body like the ISO? You could as well give it to Microsoft then...

Remember the faith of UN (ISO-) sponsored standards like the ISO-OSI standards w.r.t. the more ad-hoc IP protocol (I'm meaning the communications protocol which really existed a few decades ago as was sparsely deployed in some government networks, not the 7-layer OSI model)? Give something like an important piece of infrastructure to a multinational government body is the surest way to kill it outright. The Internet grew without (too much) bureaucracy, please keep it that way.

Invest in America...

[SteveFoerster]

...buy a Congressman.

A "comment period"?

[ErkDemon]

'.

(This was meant to be a cool two-character posting, but SlashDot wouldn't allow it. Grrr.)

Re:A "comment period"?

[Tacvek]

Your comment character is a single quote? The only language that I am aware of off the top of my head that uses a single quote as a comment character is Visual Basic and derivatives (VB.net, etc)

You've got to be kidding

Hahahahahahah! Verisign! Hahahahahahahah!

Oh wait, I thought you said Verizon.

Everyone Hold The Keys?

[hdon]

Is it possible to consider a scheme where multiple cryptographic authorities must cooperate instead of one?

Have multiple signatures! It doesn't change often.

[dwheeler]

I strongly believe that the DNS root needs to be signed by lots of organizations. Different countries don't fully trust each other, but by having multiple signatures, the problem disappears (a country only needs to sign if it believes in what it's signing).

The root (".") doesn't change every hour. It only stores information on how to _GET_ to .com, .us, and so on. Adding/removing those is relatively rare.

EVERYBODY sign it!

[dwheeler]

There is no single organization that everyone, worldwide, trusts. That's just the way it is.

So, let every country (or group of countries) sign it, and then let people decide which signature they'll accept. If you think there are a few non-national organizations that would make sense to sign, have them sign it too. Then the user can decide which signature they'll accept.. and the countries can decide which changes they'll sign.

Problem solved.

Re:Have multiple signatures! It doesn't change oft

[mrsbrisby]

Zone signing has to be done periodically. Will you require all of the parties sign? Some of them? Will you let the internet be taken hostage by a mere majority?

Right now, we have to trust the administrators of the root zones. Adding more people that we have to trust doesn't add security, it takes it away.