Phillip Hallam-Baker, an Internet security pioneer and most recently Principal Scientist at VeriSign, has criticized current DNSSEC root signing arrangements in his comments to the Dept of Commerce as a “profoundly destabilizing technology” for the Internet.
Recognizing that “ICANN represents the only viable mechanism for coordination and control of the Internet” and identifying the political tensions that could emerge surrounding USG oversight of the DNS root, Hallam-Baker explains how the current ability to, if necessary, reroute root servers to a different DNS provides an “opportunity of exit” for other governments. He argues this possibility is a “safety valve that keeps ICANN and US control of ICANN in check.”
According to Hallam-Baker, the “technical measures to prevent malicious redirection of the DNS root described in the current iteration of DNSSEC would “foreclose this possibility of exit” and “tilt the balance of technical control even further in the direction of ICANN and US administration. This is clear cause of concern for French, Russian, Chinese, Egyptian, and Brazilian participants in ICANN and almost certainly explains at least part of the resistance to DNSSEC deployment.”
Just last week the NTIA announced it had reached “agreement” with ICANN and Verisign to sign the root by the end of the 2009. Details are still emerging, but according to ICANN, “VeriSign will have operational responsibility for the zone signing key and ICANN will manage the key signing process.” Questions also remain about the NTIA negotiated solution being “opt-in” for ccTLD operators and root server operators.
In addition to recommending re-specifying ICANN's objectives, developing technical infrastructure to enable competition within the .com zone, and restructuring the conflicted ISOC management of the .org, Hallam-Baker recommends that NTIA “require that ICANN propose a technical solution for signing the DNS root zone that is endorsed by a clear majority of the national stakeholders.”