Former Principal Scientist at VeriSign blasts US control of DNSSEC root signing

Phillip Hallam-Baker, an Internet security pioneer and most recently Principal Scientist at VeriSign, has criticized current DNSSEC root signing arrangements in his comments to the Dept of Commerce as a “profoundly destabilizing technology” for the Internet.

Recognizing that “ICANN represents the only viable mechanism for coordination and control of the Internet” and identifying the political tensions that could emerge surrounding USG oversight of the DNS root, Hallam-Baker explains how the current ability to, if necessary, reroute root servers to a different DNS provides an “opportunity of exit” for other governments. He argues this possibility is a “safety valve that keeps ICANN and US control of ICANN in check.”

According to Hallam-Baker, the “technical measures to prevent malicious redirection of the DNS root described in the current iteration of DNSSEC would “foreclose this possibility of exit” and “tilt the balance of technical control even further in the direction of ICANN and US administration. This is clear cause of concern for French, Russian, Chinese, Egyptian, and Brazilian participants in ICANN and almost certainly explains at least part of the resistance to DNSSEC deployment.”

Just last week the NTIA announced it had reached “agreement” with ICANN and Verisign to sign the root by the end of the 2009. Details are still emerging, but according to ICANN, “VeriSign will have operational responsibility for the zone signing key and ICANN will manage the key signing process.” Questions also remain about the NTIA negotiated solution being “opt-in” for ccTLD operators and root server operators.

In addition to recommending re-specifying ICANN's objectives, developing technical infrastructure to enable competition within the .com zone, and restructuring the conflicted ISOC management of the .org, Hallam-Baker recommends that NTIA “require that ICANN propose a technical solution for signing the DNS root zone that is endorsed by a clear majority of the national stakeholders.”


5 comments

  1. Anonymous

    One of the shocking trends for .COM owners is that people attending the ICANN meetings have LESS and LESS clue. Even the growing ICANN Staff has LESS clue.
    Someone recently held a private meeting in Washington, D.C. and ICANN sent 3 Staffers. NONE of the people had more than 12 months experience at ICANN. NONE of the people knew anything about the history of ICANN and the major issues.
    If Verisign is going to survive a .COM re-bid and continue to attempt to retain the loyalty of .COM owners, they better consider hosting some .COM meetings. Experts from Verisign and the .COM community could then work out better ways to provide more security and stability of the .COM zone.
    ICANN can then go off and trot around the world putting on .DOG and .PONY shows for ccTLDs.
    That will continue to give ICANN that international flavor of the Internation Olympic Committee. When those ICANN limos roll into the next venue with all those ccTLD flags flying from the fenders, the masses will stand in awe.
    Back at the ranch, Verisign can stick to business and keep the .COM platform running and improving.
    There are many changes coming and only the .COM community will be able to understand them and pay for them. Not even the wealthy .ORG society will be able to participate. Clue is required.

  2. Anonymous

    All ccTLDs are Not Countries – Unless LA is Now a Country
    The ICANN Double Standard in Full Glory
    http://blog.icann.org/2009/06/growing-pains-and-the-gandi-survey/#comment-17790
    “Provided below are examples of churches, schools, businesses, a club, and even a university that have embraced the concept of a DOT-City TLD via the DOT-LA. The DOT-LA domain space is a ccTLD that is currently being marketed under a long-term lease as a DOT-City TLD to the residents and businesses of the Los Angeles Metropolitan Area.”