Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on ** Are "Split Roots" the Future of the Internet?

From: David Farber <dave () farber net>
Date: Sun, 13 Nov 2005 09:28:12 -0500


Begin forwarded message:

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: November 12, 2005 9:54:32 PM EST
To: dave () farber net
Cc: karl () cavebear com
Subject: Re: [IP] more on ** Are "Split Roots" the Future of the Internet?
In message <533273B4-557F-4916-8DB1-CB09788F1DEC () farber net>, David Farber writ 
es:



Karl Auerbach asks this question:


I'd also add that I personally have not analyzed the impact of DNSSEC
on this and think it would be useful if a DNSSEC expert were to weigh-
in on  the question of how multiple, but otherwise identical, systems
of roots would far in a world in which DNSSEC is used.


I believe it could work, though I'm not 100% certain.

In a simplistic approach, each DNSSEC-aware resolver would know the
public key used to sign its root zone.  The resource records for
another root zone would not be signed by the proper key, and things
would fail.

However, DNSSEC was designed to permit multiple keys to exist at the
same time.  That's a necessity if you want to support key change, which
of course you do.  If clients were designed to support multiple root
zone keys -- and they probably would be -- a client could easily
configure the keys for any root zones it wished.  Any root records for
which the client did not have a key would be rejected.  See below for
some other implications.


The question that I perceive is the real question is whether those
different systems of roots can vary from one another in this way:
Each system of roots would (presumably) carry the same core set of
top level domains (probably the NTIA/ICANN/Verisign set of about 250
TLDs that most folks are using today).  However, some of these roots
may carry boutique top level domains - perhaps like my .ewe - that
are aspiring to gain enough buy-in/market-share to be accepted into
the TLD inventory of enough of the root systems that they become, in
effect, members of the core suite of TLDs.  In other words -
selection of TLDs by the normal mechanisms that determine which
products succeed in a competitive marketplace and which do not.

I believe that this kind of core-set of TLDs on all root systems and
a variable suite of boutique TLDs is a safe and workable mechanism.
Other people hold a contrary point of view.


There are several problems with this scheme; most are outlined in RFC
2826.  (Karl and I have a long-standing disagreement over this, of
course.)  The biggest problem, though, is that addresses then become
relative to some root server.  Karl might tell me about his www.ewe;
really, though, what he means is "www.ewe in the tree described by
lear.cavebear.com", that being one of his name servers.  That name
server, in turn, would really be "lear.cavebear.com in the tree
described by ICANN", as well (I assume) as other names in his own
namespace.  The point, of course, is that we've moved the root up a
level.  Rather than it being known as ".", it would be the collection
of namespaces.  Mathematically, that's a tree, too.  There are only two
real differences: whether or not it has a syntactic representation in
domain name syntax (joe () example com%icann, anyone?), and who controls
the set of possible names.  ICANN uses process and money; this would be
a more anarchic scheme.  There may or may not be agreement on the
contents of .com (personally, I doubt it, given the controversies over
the UDRP and other trademark-related issues); there would certainly be
conflict over things like .sex and .xxx.  I'd rather open up the ICANN
process; to the surprise of some (including me), the National Academies
report concluded that there was no technical reason not to do so.

Note how the multiple root zone issue plays with DNSSEC.  You'd have to
provide a key for each of these metaroots.  Given the way DNSSEC works,
you wouldn't have to name the zones, but the keys would have to exist.

A more fundamental reason is that there is not true competition.
Virtually all consumers use whatever DNS server their ISP has selected
-- and as has been widely discussed in this forum, there is little, if any, competition among ISPs. At best, there's a duopoly if you want 
broadband.  (WiMax may or may not change that some day, though I'm
skeptical; if and when it does, we can revisit this point.  For today,
I have a choice of cable or DSL from my phone company, since I assume
that the competitive DSL providers are going to go away under the new
FCC rules.  We should also bear in mind the anti-competitive attitudes
of some ISPs, again as discussed here.)

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: