ICANN/DNSO
DNSO Mailling lists archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] Re: "political advantage"


Rick H Wesson wrote:

> > The obvious question there would be what steps ICANN will take to get
> > secure DNS widely deployed quickly.
> 
> ouch, the IETF has been working hard on this for years, what makes you
> think ICANN can do it.

I don't think ICANN can do this; to a large extent it isn't their problem.

I just think it is worth asking what role, if any, ICANN should play here.
For example, should there be an ICANN key for signing root zones? Should
ICANN contracts require registrars or operators of major zone servers to
take any action on this?

> > One reference site is:
> > http://www.toad.com/dnssec/index.html
> 
> yea, I used to live a few blocks from Jon while he write the BSafe
> implementation for DNSSEC. That information is a bit dated.

Yes, but I didn't know a better site, other than the IETF WG URL which
I also included. Can you suggest one?

> do you know how long it takes to sign the .COM zone? do you know how
> much memory a gtld-server for .com, .net, and .org would have to be?

I haven't a clue, but would welcome pointers to information on this.

If there are serious issues in these areas, methinks that is another
good reason for ICANN to look at policy questions around overuse of
.com, deployment of new TLDs, etc.

> Do you know the security holes that would be created if one pushed
> out DNSSEC for .COM?

No. Would they be even worse for in-addr.arpa? An Internet Draft I'd
like to see implemented relies on that:
http://search.ietf.org/internet-drafts/draft-richardson-ipsec-opportunistic-02.txt
 
> > A closely related, and I think important, question is how the signing
> > of zones will work. Methinks there's a risk Verisign will try to tie
> > the whole thing to their technology, acquire a big new market. This is
> > understandable, but not a good idea.
> 
> yes, we have alot to learn. sounds like we need to hold a workshop about
> DNSSEC at the ICANN meeting.

Fine idea.
 
> > Methinks this raises some policy issues for ICANN.
> 
> umm, I'd suggest the IETF not ICANN.

Mostly, yes.

> Just because security is the catch word of the day doesn't mean we are
> expert enought to make decisions about any of it.

No, but if we're going to make policy, write contracts and provide
'governance' we cannot help making decisions that either have an impact
on security issues or are impacted by them.
--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html



<<< Chronological Index >>>    <<< Thread Index >>>