Management of the DNS root zone file is a uniquely global policy problem. For the Internet to connect everyone, the root of the internet’s identifier systems must be coordinated and compatible. But who will control that coordination process? Right now, the U.S. government assumes exclusive responsibility for it. The U.S. refuses to internationalize its oversight, or to delegate it fully to ICANN. Internet users and governments in other countries are uncomfortable with U.S. unilateral control, knowing that the U.S. could, if it wanted, exploit its power over the root for political, military or economic advantage. For that reason, DNS root zone file management has been one of the most controversial issues in Internet governance.
Despite this deadlock there is hope for change. Management authority over the legacy root zone file may be contentious and divisive, but everyone agrees that the Internet should be made more secure. A newly standardized protocol, DNS Security Extensions (DNSSEC), would make the Internet's infrastructure more secure. In order to implement DNSSEC, the procedures for managing the DNS root must be systematically revised. Therein lies an opportunity. In revising the root zone management procedures, we can develop a new solution to the root zone management problem, a solution that diminishes the impact of the legacy monopoly held by the U.S. government. Over the next month we will describe the outlines of a new system for the management of a DNSSEC-enabled root. One that distributes authority more than the current method while avoiding the risks and pitfalls of an intergovernmental power sharing scheme.
[Editors note: The last week has been highly unusual, with a lot of attention on the web being devoted to DNSSEC. First, there was the new IAB chair talking about it, then the Heisse story which broke some news that happened at ICANN about the relationship
between VeriSign and the USG and the role of the DHS in root signing, then a reality check about DHS intention by another IAB member at Educated Guesswork, a bunch of sometimes less thought out response at /., and other blogs, and some in the security application industry questioning the usefulness of DNSSEC (and strangely expecting IGP to be defending it). Additionally, discussion picked up about technical options for root signing on some of the expert lists .
Overall, more buzz on DNSSEC than I've seen in a long time. However, in some cases, accuracy in describing what DNSSEC actually does and doesn't do, and how it works has been overshadowed by hype.
This is unfortunate because there is a lot of good material (albeit largely written for a technical audience) out there which detail DNSSEC. On the other hand, the hype demonstrates the necessity of
getting the policy issues around DNSSEC out in the open. Now, we do not claim authority in technical matters surrounding DNSSEC (look to the IETF
working group, among others for that), but we do claim to know a thing or two about Internet governance, and how Internet technology and politics often intersect. We hope this work
(with help from your comments) will shed further light on that.]