Response to Patrik Faltstrom on DNSSEC implications

Our 9 September blog post on DNSSEC has generated significant attention. It is gratifying to see DNS experts like Patrik Faltstrom respond. Not so gratifying is that Patrik's response reveals that even technical experts in DNS can fail to understand the governance implications of the technologies they work with daily. This has been a longstanding problem in the Internet technical community.

Patrik thinks that we have simply misunderstood DNSSEC. He writes: “Milton mixes up a number of things, and do ignore completely the downside of the proposal he makes.” In fact, it is not I, Milton Mueller, who wrote that blog post about DNSSEC. It was Phillip Hallam-Baker of VeriSign, an acknowledged technical expert in the field. And no “proposal” was made in the blog post, merely a quotation of Hallam-Baker's comment on the IETF list. So let's set the record straight.

What is Patrik Faltstrom saying? In a nutshell, his argument is that DNS is “strictly hierarchical” and what matters for policy purposes is who controls the content of the root zone file. DNSSEC, he claims, is simply a process for digitally signing the root zone file once you have it, and thus adds no political implications outside of who determines the content.

This response is disappointing, because it shows that Patrik has completely missed the point of Hallam-Baker's argument. He simply didn't get it.

I am sure that Hallam-Baker understands that the content of the root zone is the most politically important and sensitive matter, as does everyone at IGP. But Hallam-Baker pointed out that if there are political disagreements over what goes into the root zone, then the presence of DNSSEC makes a big difference. In an unsigned DNS, there is no technical compatibility issue binding anyone to any given supplier of the root zone file. If you don't like the ICANN root, you can fairly easily move to another one. Just redirect your nameservers. If everyone else, or at least a critical mass of the world's ISPs and nameservers, move to the same, coordinated root at about the same time, you lose nothing. As Hallam-Baker put it, the current root has “authority but no power.”

That all changes with DNSSEC. Once the root is signed, the root will be defined by the knowledge of the private key corresponding to the widely distributed embedded public key. Any attempt to move raises much higher coordination hurdles. As -HallamBaker put it, “If the root is signed by a unitary entity, that entity has absolute power. A defection cannot be countered by a fracture of the root.”

That is the point, my friend Patrik. Your responses have not taken Hallam-Baker's argument into consideration at all, and thus are irrelevant. We would welcome your comments about that issue. And please keep in mind that your argument is not with me, it is with Phillip Hallam-Baker.

5 comments

  1. Anonymous

    Absolutely nothing stops parties that want to use a different root to do so. Signed or unsigned. If DNSSEC is added to DNS, then of course the other root will also be signed with DNSSEC. We will still get multiple roots, a split DNS, with the only difference that they both are signed.
    This because the way DNSSEC is deployed today (and there is no change in sight in near future), the verification of the signatures are made in the same full service resolver that is “choosing” what root (zone) to use. This implies if you want to use a different root today, you change the IP address(es) for the root servers. When using DNSSEC you change the IP address(es) and the public key(s) for this other root.
    So DNSSEC doesn't change this at all.

  2. Anonymous

    But the two roots will not use the same trust anchor. Have you considered the costs and compatibility issues of coordinating the management and rollover of private keys for multiple roots? My guess is you have not.

  3. Anonymous

    My guess is that Patrick is not advocating this.
    My guess is that he is talking about the IGP proposal to have multiple signing authorities for the same root zone. I also guess that you are easily astounded.
    To quote Patrick's blog “That just does not make any sense what so ever”

  4. Anonymous

    Ah my little relevance seeking academic, any one can put a trust anchor into Microsoft Windows. It’s the same as adding a new SSL certificate. It simply is not that hard. Why not even have a few to guard against innocent mistakes in any one root server constellation. Key rollover isnt the end user's problem either as it can be automated by whoever you pick as your root servers.
    The inflammatory and misleading arguments you often like to make may help your career but only (further) erode foreign relations by misleading other bureaucrats into thinking there is some control issue here. There isn’t. Give people the truth and let them decide for themselves. You have grad students – go ahead and build your own DNSSEC signed root and point to it. Works just fine.
    But maybe it is your and the plan of other IGF hangers on to continue to convince their employers that they are doing something important in an area that has no place for politics. I don’t begrudge anyone trying to hang onto their job but lets get real here.
    The thing to do here is to put the (real) technical people from all sides in a room to talk about it without “externalities” like govt peer pressure. They WILL arrive at the same conclusion like the previous writer said, DNSSEC just doesnt make a difference.

  5. Anonymous

    A very good example of the kind of attitude we are dealing with. Let's ignore the nastiness, for now. This anonymous commenter apparently cannot see any difference between a private action (creating “your own DNSSEC signed root” or “adding a new SSL certificate” to your own computer) and a set of decisions and processes that are globally binding and affects millions of autonomous Internet service users and suppliers. If I configure my own DNSSEC signed root, no one has to use it and only I and a few of my communication partners are affected. If ICANN and the USG do it, everyone is affected. Under those circumstances, getting people to agree on how it is done and who does it is a political as well as a technical issue. And it is political not because evil academics seeking “relevance” make it so, but because it involves the interests, trust, cooperation and agreement of multiple parties, all of whom have major economic and political stakes in the outcome. If anyone is making this political, it is the US government; if there is “no place for politics” in handling the root zone, why does the USG insist on controlling and “supervising” the process and dictating the technical standards? If it does not involve control, then why can't they open up and let other international participants in? This poster's belief that technical people can just go into a closed room and solve the Internet's problems without any pressure from politics or governments is also rather naive. But, as I said at the opening, this post is an excellent example of what kind of attitudes prevail in certain circles, and therefore we welcome it.