ICANN/DNSO
DNSO Mailling lists archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

[ga] Re: [ecdiscuss] US Cyberspace Security Draft


Phillip and all,

  Excellent and informative response here Phil.  Well done!
I am taking the liberty of also sending this along with my comments
and observations to the DOC/NTIA folks responsible, the DNSO
GA, and the Cyberspace Security Draft folks for their consideration
as well.

======== Some of my response comments follow ======

  Indeed the problem you outline is a real one for .COM and the
implementation of DNSSEC for .COM.  Agreed the DNSEXT
working group of the IETF, of which I am on but not very active
of late, has been taken over as you rightly indicate by those
that are anti-Verisign and have let that fact blind them to the
potential fix for DNSSEC that is very workable.  As such,
and amongst a number of other areas such as IPSEC, it is
no small wonder that the current US Administration headed
up by Richard Clarke wishes or believes in the draft report,
that the IETF lost of is loosing it's way.  This too has IMHO
been very evident in several of the IETF's own general
mailing lists archives by various members participating.

  My concern and fear however in this report draft is that
should the IETF be taken over or replaced as indicated,
than the independence of technical standards will be
damaged, lost forever or politicized to the extent of being
harmful to the future of this medium, the internet...  Like ICANN,
the problem with the IETF is it's current leadership, and it's
club mentality and structure...  Those can be fixed however, but
would require some direct intervention of some sort unfortunately...

Hallam-Baker, Phillip wrote:

> DNSSEC cannot be deployed in .com as presently specified.
>
> The current spec would increase the size of the in memory image
> of the zone file by six to eight times. Since the zone file
> is already 2-3 Gigabytes and the transaction volume is 6 billion
> lookups a day there is simply no way that the original proposal
> (now eight years old) is going to be deployed.
>
> There is a fix for this issue which provides the same degree
> of security. Certain members of the DNSEXT working group have
> been attempting to sabotage the fix for their own petty political
> ends, the argument being that the issue 'only affects one party'.
>
> Members of this faction have in the past stated that 'if .com
> is too big then that is the problem we should fix'.
>
> I assure you I am not making this up.
>
> Consensus was reached in the group to accept the OPTIN fix for
> the deployment. One of the chairs deliberately avoided stating
> that there was consensus by sending the OPTIN draft to the 'DNS
> Directorate' which is a body appointed by him and has not felt
> fit to share any of its discussions with the group.
>
> The faction appear to have the idea that VeriSign is somehow
> bound by its decisions which is why I have been saying, well
> err, no and particularly not if you are going to go about
> making those decisions in that fashion and after you have
> told me that you do not intend to take any notice of my
> requirements.
>
> The strategy, which has been stated in the WG meetings is that
> by preventing VeriSign from deploying DNSSEC the group will
> save the internet from VeriSign.
>
> Meanwhile take a read of Richard Clark's essay at the Whitehouse.
> Recommendations 4-1 through 4-4 essentially propose taking over
> the IETF if it does not do the administrations bidding.
>
> And yes, I know that I am not being all nice and friendly on
> the list. Mark Kosters tried that for six years. The only way
> to deal with this is to point out to the members of that group
> that I am not attending their meetings as a substitute social
> life and I am more than willing to match their tactics.
>
>                 Phill
>
> > -----Original Message-----
> > From: Jeff Williams [mailto:jwkckid1@ix.netcom.com]
> > Sent: Thursday, September 19, 2002 1:22 AM
> > Cc: J-F C. (Jefsey) Morfin; ecdiscuss@ec-pop.org; pbaker@verisign.com
> > Subject: Re: [ecdiscuss] US Cyberspace Security Draft
> >
> >
> > Nikolaj and all,
> >
> >   I frankly am wondering where Phillip got this strange idea?
> > Phillip, perhaps you could elaborate on what or how DNSSEC
> > is broken?
> >
> > Nikolaj Nyholm wrote:
> >
> > > While there have been reports on the recommendations of the
> > use of DNSSEC,
> > > it's somewhat of a paradox that, the chief scientist at
> > Verisign, Phill
> > > Hallam-Baker, recently declared that "DNSSEC in its current
> > form is BROKEN".
> > >
> > >
> > http://ops.ietf.org/lists/namedroppers/namedroppers.2002/msg01619.html
> > >
> > > Best regards,
> > > Ascio Technologies Inc.
> > >
> > > Nikolaj Nyholm
> > > Vice President & CTO
> > >
> > > Digital identity weblog at
> > > http://weblog.digital-identity.info
> > >
> > > > -----Original Message-----
> > > > From: J-F C. (Jefsey) Morfin [mailto:jefsey@club-internet.fr]
> > > > Sent: 18. september 2002 19:30
> > > > To: ecdiscuss@ec-pop.org
> > > > Subject: [ecdiscuss] US Cyberspace Security Draft
> > > >
> > > >
> > > > an important document to read and probably discuss:
> > > > http://www.whitehouse.gov/pcipb/cyberstrategy-draft.pdf
> > > > jfc
> > > >
> >
> > Regards,
> > --
> > Jeffrey A. Williams
> > Spokesman for INEGroup - (Over 127k members/stakeholders strong!)
> > CEO/DIR. Internet Network Eng/SR. Java/CORBA Development Eng.
> > Information Network Eng. Group. INEG. INC.
> > E-Mail jwkckid1@ix.netcom.com
> > Contact Number: 214-244-4827 or 972-244-3801
> > Address: 5 East Kirkwood Blvd. Grapevine Texas 75208
> >
> >

Regards,
--
Jeffrey A. Williams
Spokesman for INEGroup - (Over 127k members/stakeholders strong!)
CEO/DIR. Internet Network Eng/SR. Java/CORBA Development Eng.
Information Network Eng. Group. INEG. INC.
E-Mail jwkckid1@ix.netcom.com
Contact Number: 214-244-4827 or 972-244-3801
Address: 5 East Kirkwood Blvd. Grapevine Texas 75208


--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html



<<< Chronological Index >>>    <<< Thread Index >>>