Government Begins Securing Root Zone File

Death Metal notes a Wired piece on the US government beginning the process of securing the root zone file. This is in service of implementing DNSSEC, without which the DNS security hole found by Dan Kaminsky can't be definitively closed. On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root — ICANN, Verisign, or the US government's NTIA.

None of the above

[jeffasselin]

Anyone really thinks any of those organizations should be trusted with this? How about some UN organization instead?

Re:None of the above

Because the UN sucks too? It isn't a symptom of who belongs to the organization, but the very fact that it is a large organization.

Re:None of the above

[MightyYar]

The same UN that is comprised of countries that support censorship of political speech? No, thanks. Either give it to an organization of free democracies or hold onto it until such an organization exists.

I'm not flaming, but seriously - look at the UN's track record where they do things like elect Libya to head the Commission on Human Rights. I can already see China chairing the internet commission.

Re:None of the above

[Kamokazi]

Hell, I'd trust the greedy bastards at Verisign way before the UN.

But yeah, all those options kinda suck. ICANN is the lesser of the evils tough by a wide margin.

Re:None of the above

[FireStormZ]

And why should the UN be trusted with this? As another poster pointed out they are comprised of many nations that censor speech, expression, assembly and thought. On top of that they have been shown to be as (if not more) corrupt (Oil for Food in Iraq), Inept (Sierra Leone), and Impotent (Rwanda)...

Re:None of the above

[Jesus_666]

The question is who to give it to. The United States are just as ineligible, seeing as they don't care about separating government and big business or keeping the government's powers in check. And I'm not in favor of giving a nation control over an international resource simply because it was deployed there first. That'd be like ultimately deferring to France in all aviation matters because of the Montgolfier brothers.

Really, who should get the root zone file? Nobody is eligible so we either give it to nobody or adjust our standards so someine is. The question is, do we accept a multinational body where any attempt at tampering might get vetoed by other members or do we accept a single nation where that isn't the case?

The UN seem like the safer choice because of more oversight. (Also, let's not forget that any bloc that feels left out can simply start their own root server network or switch over to one already running, thus it's not a wise idea to bind the one most of us currently use too much to a single nation.)

Re:None of the above

[operagost]

Maybe you shouldn't betray your political leanings by singling out the RNC. There are "free speech zones" at the DNC too. It seems to be more dependent on the attitude of the hosting city. At least we don't imprison grandmothers and sentence them to hard labor just for asking to protest.

Re:None of the above

[MightyYar]

While I agree that the government (mostly local governments) overreacted to the antics of some douchebags, the fact remains that the US is one of the most liberal - if not the most liberal - nations on the planet when it comes to freedom of speech. Restrictions on speech correlate very well with authoritarian rule.

Re:None of the above

[MightyYar]

The United States are just as ineligible, seeing as they don't care about separating government and big business or keeping the government's powers in check.

I'm still going to rank political speech higher than commercial speech... that's where people really get oppressed. I agree that copyright is a form of censorship, and I would like to see it reformed drastically - but it's not the same as throwing people in jail because they are critical of the people in power.

The UN seem like the safer choice because of more oversight.

Two problems. One, the UN would only be effective if the number of countries opposing censorship was larger than the number that rather like it... unfortunately I think that the censors are in the majority. Second, the UN has no actual power to do anything outside of the security council. These committees and such all simply advise the security counsel. If someone were to get out of line, you'd need the security council to actually take action. With Russia and China as veto-wielding members, no action would ever come on issues of free speech.

But mostly, you are dead-on about it not being all that critical. DNS is mirrored all over the place, and if the US ever went bat-shit nuts the rest of the world could just run their own mirrors.

Re:None of the above

[Sancho]

Yeah, in the US, you can pretty much say what you want, as long as you do it in a place where no one can hear you.

The reason that restrictions on speech correlate very well with authoritarian rule is because authoritarians don't want dissenters to be heard. It weakens their rule over the people, and threatens their power.

Free Speech Zones are public places where people are allowed to exercise their first amendment rights[1]--that is, the right to free speech. These zones tend to be away from the attendees, speakers, and mass media covering the event to be protested. This means that the protest is effectively pointless. Maybe you get a feeling that you're doing something by protesting, but by forcing you to protest where no one can see you, you're certainly not getting your message across.

So it's great and all that I can say pretty much whatever I want in the US. Seriously. I think it's awesome. But what I don't think is awesome is that political speech is effectively censored--that's the kind of speech which is linked to dissent, and which authoritarians want to quash.

[1] The government "allowing" you to exercise your rights should be a giant-old red flag.

Re:None of the above

"The impotency of UN (as you call it) in Rwanda was mainly due to inaction from western powers."

Im not a big fan of the 'west guilt' thing especially when you leave out some big facts

Others who did nothing in the UN (China and Russia), also Kofi Annan was the head of UN Peacekeeping operations when the commander of UN forces in Rwanda warned that the Kigali government was planning to slaughter Tutsis. Annan's office ordered Gen'l. Romeo Dallaire of Canada not to protect the informant or to confiscate arms stockpiles. Annan later claimed that he lacked the military might and political backing to stop the slaughter of more than 500,000 people.

Annan let it snowball! And the main guilt and shame shoud lie with those who hacked to death a half million people...

Re:None of the above

I'd have to say yes. This is the principle behind secret voting, for example - if everyone's choice of vote were made public, people might be coerced (by the government, a private entity, criminals, etc) to make a choice other than the one they truly want.

Re:None of the above

[MightyYar]

Excuse me, but the reason that most people resort to such intrusive methods is that the government neuters their otherwise peaceful message by plugging their ears through free-speech zones.

No, it isn't. Their message is fringe and not even close to being popular. They are ignored, and so make noise. The wide use of "free speech zones" came after the douchbaggery, not before - though I happen to agree that they are overkill. Just make the protesters file for a permit, pay for the extra police, get sufficient porta-potties installed, etc... no need for specific zones.

Remove all violent protests, and soon the peaceful ones will be dead, in jail, or brainwashed.

That's just absurd. Violent protests have no place in a civil society. That is the whole point of free speech and the justice system. You can say anything you want without tearing shit up.

Do you really think "the right to free speech" should include location? Like, in the middle of a highway? Fuck everyone - just shut down afternoon traffic because you have something to say?

Re:None of the above

[Jesus_666]

I'm still going to rank political speech higher than commercial speech... that's where people really get oppressed. I agree that copyright is a form of censorship, and I would like to see it reformed drastically - but it's not the same as throwing people in jail because they are critical of the people in power.

Yes, some of the UN member states are't too keen on free speech, but then again the United States government isn't, either. Granted, you're not quite on the same level as the worst ones but things like the DHS, Gitmo, unwarranted searches, free speech zones etc. aren't exactly painting the USA as the paragon of freedom of expression -- or even freedom at all. I get to choose between a committe of nations, some of which don't value human rights as highly as they should, or a single nation that doesn't value human rights as highly as it should.

If the USA want to be able to claim moral high ground on human rights issues again they're going to have to behave extremely well for at least a decade. Currently their credibility is severely damaged.


By the way, with "they don't care about separating government and big business" I didn't mean that the government imposes on business but the other way around. I meant plain old corruption (or extortion in some cases). The increasing eccentricity of American tech and IP laws really makes it look like you guys have the best politicians money can buy.

I dont hate the USA or anything (was there twice; nice people, quaint architecture), but currently they're like a drunk guy with a broken bottle you encounter while bar-hopping: Much better armed than you are, mostly unpredictable and unlikely to be nice. In short, they're scary.

Second, the UN has no actual power to do anything outside of the security council. These committees and such all simply advise the security counsel. If someone were to get out of line, you'd need the security council to actually take action. With Russia and China as veto-wielding members, no action would ever come on issues of free speech.

Do you really think the US government gives a shit about free speech elsewhere? Assume they're at pseudo-war* with another country. A logical thing to do would be to shut off that country's ccTLD, causing economical damage and hindering civilian information flow. What happens if someone complains? Will the US say "Oh sorry, we didn't think France would get angry!" or would they say "Our root zone, our rules."?

But mostly, you are dead-on about it not being all that critical. DNS is mirrored all over the place, and if the US ever went bat-shit nuts the rest of the world could just run their own mirrors.

Actually, a fragmented root would have the potential to cause some havoc. If Europe gets pissed off at the States enough to switch over to independent-mode ORSN wholesale people will have to make sure their stuff is in two DNS networks instead of just one. Asia might follow suit and suddenly we have three. If those roots diverge we end up with a mess of colliding or incompatible TLDs or even identical domains that resolve differently based on region.

It's not OMG! The End Of The Internet!, but we should avoid it nonetheless.


* The weird kind of war-without-a-declaration-only-it-isn't-really-war we saw in the last couple years.

Who to control...

[TheSpoom]

Verisign

Pros:

• Quite a bit of money, stability likely wouldn't be a problem

Cons:

• Puts a private company in control of a very, very important part of the internet
• Has previously fucked with DNS, would likely do so again if considered a wise business decision

US Government

Pros:

• Wouldn't dare let it go down since business in their country is very dependent upon it
• Puts elected officials in charge of a very important part of the internet

Cons:

• Nationalizes an important part of an international network
• Puts elected officials in charge of a very important part of the internet

ICANN

Pros:

• Has been doing this a long time
• Is a non-profit company so isn't driven by the same business needs as, say, Verisign

Cons:

• Still somewhat national

I'm definitely of the opinion that ICANN should be running it. That said, I don't know everything about the matter, so perhaps there's something that would change my mind. I figure, though, that if it's not broken, don't fix it.

Re:Who to control...

[mgoren]

Why in the world would they give it to Verisign? I thought we were trying to move away from Verisign controlling anything other than .com (and I guess .net too)?

Re:Who to control...

[jhol13]

It does not really have to be the UN, it can be a non-profit organisation (legally) under UN. This would mean, of course, that those running it would get a huge power ... but they could not (would not necessarily) be persuaded to change policy by any government or lobbyists.

That would get rid of the bureaucracy and tyranny of majority, but could lead to tyranny of minority.

How that would work out in practice would be interesting experiment, to say the least. Whether trying is worth the risk ... well, let's just say that one would not cost 700 reallybigones :-)

Re:Who to control...

[digitig]

Latest I can find for UN payments is 2005 figures; I wouldn't call the difference between $423M (USA) and $375M (Japan) all that huge a degree. And is the USA actually paying its dues now? In 2005 it owed almost a billion in unpaid dues.

I'd vote ICANN

[K3ba]

But in the end, who really cares who signs it now - what can be signed once, must be able to be signed again (especially if there is a validity period of the signature), and if the signatory needs to change in the future then it can be changed then. Delaying the signing process is counter-productive, as procrastination in this regard only helps the hackers and not the greater unwashed masses who don't know they need this process to be completed in the first place... Maybe they should ask for comments _after_ they have told us the first signatories name. They will get comments then regardless of who they choose ;)

Re:I'd vote ICANN

[afidel]

How about the operators of each Root server signs their own copy of the root? That way if one entity implements policies that you don't agree with you simply remove them from your hints file. There's a reason there's multiple root servers and putting the signing authority in the hands of one entity inherently makes the system less diverse and fault tolerant.

Give the keys to Jon Postel

[davidwr]

I can't think of anyone more qualified.

Yes, I know he's dead, but I still can't think of anyone more qualified.

Lame choice is no choice

[Daimanta]

"On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root -- ICANN, Verisign, or the US government's NTIA."

ICANN: Organisation situated in the US, can be heavily influenced and controlled the US government
Verisign: Private company that is only interested in profit and is situated mostly in the US thereby it can be heavily influenced and controlled the US government
NTIA: US government

CHOOSE: US, US, or US

American election time!

Verisign?

[neowolf]

I can't wait if they get it... Within a couple of years we will all have to start paying for DNS queries. Of course- they will offer to allow your query for free if they can insert ads into every site you go to.

Re:It doesn't have to be just one player

[wiz_80]

The problem is that this scheme might work now, but it is not very future proof. How would you avoid the issue of Participant A borging participants B through T, thereby owning enough pieces of the key to do whatever they want, no matter what Participants U through Z have to say?

This might happen with private organizations (companies get bought) or with states (Russia takes over Georgia's piece of the key, just going on what's in the news).

I think ICANN is still the least bad choice. Somebody has to be the ultimate arbiter, and at least ICANN's fights so far have been confined to ICANN. It has not become a bargaining chip in bigger fights, which would be almost guaranteed with organizations such as the UN.

Re:DNSSEC versus DNSCURVE

[Todd+Knarr]

Except that DNSSEC is DNS. Period. It isn't compatible with DNS, it is DNS. It simply adds some additional records that aren't normally present that a DNS server or resolver can, if configured to, use to verify that the responses come from a valid server. It's not difficult to deploy, all current DNS servers already implement it so it's already deployed. What's difficult is the process of generating the signature chains, since the validity of the signatures at any level depends on the signature chain back to the root be intact and valid. So, if I have silverglass.org signed, the com and root domains also needs to use DNSSEC and sign their records before the DNSSEC records on silverglass.org can be verified.

Note that the signature chain's the critical part. The first question that needs answered, before you can validate any response, is "What's the correct, valid key I should verify this domain's records with?". Fail to solve the problem of answering that question securely, and the system's not secure regardless of anything else it may try to do.

Re:You, sir, are evil and twisted.

[raddan]

And which part of the AC's post condones violent protest?