Interesting People mailing list archives
more on ** Are "Split Roots" the Future of the Internet?
From: David Farber <dave () farber net>
Date: Sun, 13 Nov 2005 09:28:12 -0500
Begin forwarded message: From: "Steven M. Bellovin" <smb () cs columbia edu> Date: November 12, 2005 9:54:32 PM EST To: dave () farber net Cc: karl () cavebear comSubject: Re: [IP] more on ** Are "Split Roots" the Future of the Internet?
In message <533273B4-557F-4916-8DB1-CB09788F1DEC () farber net>, David Farber writ
es:
Karl Auerbach asks this question:
I'd also add that I personally have not analyzed the impact of DNSSEC on this and think it would be useful if a DNSSEC expert were to weigh- in on the question of how multiple, but otherwise identical, systems of roots would far in a world in which DNSSEC is used.
I believe it could work, though I'm not 100% certain. In a simplistic approach, each DNSSEC-aware resolver would know the public key used to sign its root zone. The resource records for another root zone would not be signed by the proper key, and things would fail. However, DNSSEC was designed to permit multiple keys to exist at the same time. That's a necessity if you want to support key change, which of course you do. If clients were designed to support multiple root zone keys -- and they probably would be -- a client could easily configure the keys for any root zones it wished. Any root records for which the client did not have a key would be rejected. See below for some other implications.
The question that I perceive is the real question is whether those different systems of roots can vary from one another in this way: Each system of roots would (presumably) carry the same core set of top level domains (probably the NTIA/ICANN/Verisign set of about 250 TLDs that most folks are using today). However, some of these roots may carry boutique top level domains - perhaps like my .ewe - that are aspiring to gain enough buy-in/market-share to be accepted into the TLD inventory of enough of the root systems that they become, in effect, members of the core suite of TLDs. In other words - selection of TLDs by the normal mechanisms that determine which products succeed in a competitive marketplace and which do not. I believe that this kind of core-set of TLDs on all root systems and a variable suite of boutique TLDs is a safe and workable mechanism. Other people hold a contrary point of view.
There are several problems with this scheme; most are outlined in RFC 2826. (Karl and I have a long-standing disagreement over this, of course.) The biggest problem, though, is that addresses then become relative to some root server. Karl might tell me about his www.ewe; really, though, what he means is "www.ewe in the tree described by lear.cavebear.com", that being one of his name servers. That name server, in turn, would really be "lear.cavebear.com in the tree described by ICANN", as well (I assume) as other names in his own namespace. The point, of course, is that we've moved the root up a level. Rather than it being known as ".", it would be the collection of namespaces. Mathematically, that's a tree, too. There are only two real differences: whether or not it has a syntactic representation in domain name syntax (joe () example com%icann, anyone?), and who controls the set of possible names. ICANN uses process and money; this would be a more anarchic scheme. There may or may not be agreement on the contents of .com (personally, I doubt it, given the controversies over the UDRP and other trademark-related issues); there would certainly be conflict over things like .sex and .xxx. I'd rather open up the ICANN process; to the surprise of some (including me), the National Academies report concluded that there was no technical reason not to do so. Note how the multiple root zone issue plays with DNSSEC. You'd have to provide a key for each of these metaroots. Given the way DNSSEC works, you wouldn't have to name the zones, but the keys would have to exist. A more fundamental reason is that there is not true competition. Virtually all consumers use whatever DNS server their ISP has selected-- and as has been widely discussed in this forum, there is little, if any, competition among ISPs. At best, there's a duopoly if you want
broadband. (WiMax may or may not change that some day, though I'm skeptical; if and when it does, we can revisit this point. For today, I have a choice of cable or DSL from my phone company, since I assume that the competitive DSL providers are going to go away under the new FCC rules. We should also bear in mind the anti-competitive attitudes of some ISPs, again as discussed here.) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on ** Are "Split Roots" the Future of the Internet? David Farber (Nov 13)