Our 9 September blog post on DNSSEC has generated significant attention. It is gratifying to see DNS experts like Patrik Faltstrom respond. Not so gratifying is that Patrik's response reveals that even technical experts in DNS can fail to understand the governance implications of the technologies they work with daily. This has been a longstanding problem in the Internet technical community.
Patrik thinks that we have simply misunderstood DNSSEC. He writes: “Milton mixes up a number of things, and do ignore completely the downside of the proposal he makes.” In fact, it is not I, Milton Mueller, who wrote that blog post about DNSSEC. It was Phillip Hallam-Baker of VeriSign, an acknowledged technical expert in the field. And no “proposal” was made in the blog post, merely a quotation of Hallam-Baker's comment on the IETF list. So let's set the record straight.
What is Patrik Faltstrom saying? In a nutshell, his argument is that DNS is “strictly hierarchical” and what matters for policy purposes is who controls the content of the root zone file. DNSSEC, he claims, is simply a process for digitally signing the root zone file once you have it, and thus adds no political implications outside of who determines the content.
This response is disappointing, because it shows that Patrik has completely missed the point of Hallam-Baker's argument. He simply didn't get it.
I am sure that Hallam-Baker understands that the content of the root zone is the most politically important and sensitive matter, as does everyone at IGP. But Hallam-Baker pointed out that if there are political disagreements over what goes into the root zone, then the presence of DNSSEC makes a big difference. In an unsigned DNS, there is no technical compatibility issue binding anyone to any given supplier of the root zone file. If you don't like the ICANN root, you can fairly easily move to another one. Just redirect your nameservers. If everyone else, or at least a critical mass of the world's ISPs and nameservers, move to the same, coordinated root at about the same time, you lose nothing. As Hallam-Baker put it, the current root has “authority but no power.”
That all changes with DNSSEC. Once the root is signed, the root will be defined by the knowledge of the private key corresponding to the widely distributed embedded public key. Any attempt to move raises much higher coordination hurdles. As -HallamBaker put it, “If the root is signed by a unitary entity, that entity has absolute power. A defection cannot be countered by a fracture of the root.”
That is the point, my friend Patrik. Your responses have not taken Hallam-Baker's argument into consideration at all, and thus are irrelevant. We would welcome your comments about that issue. And please keep in mind that your argument is not with me, it is with Phillip Hallam-Baker.