[ga] Re: Security and stability of the DNS (Was: Question about Making Choices
Stephane Bortzmeyer wrote: On Sat, Nov 18, 2006 at 08:59:53PM -0800, So far the net (and ICANN) have been lucky. But do we really want the technical stability of the net to continue to depend on sheer luck? But neither ISC nor Verisign or any other operator of a root-layer server is obligated by anything beyond moral compunction to meet any kind of service standards. Their employees might answer to the company, else be discharged, but that does not mean that the company is a responsible actor or that it's interests and actions are designed for long-term internet stability. Nor does it mean that the company can be held accountable if it acts in a way that does, or is unreasonably likely to, cause internet instability. Indeed, certain operators, particularly those run by the United States military and other arms of the US government are sworn to a purpose that can conflict with what most of us perceive as the stability of the internet. For example, the servers operated by the US military can be (and indeed may already be) used either to gather information about perceived enemies (remember, this is a government that gathers vast information even about its own citizens) or engages in a kind of information warfare, or is prepared to so engage, against perceived enemies. And other root operators, such as Verisign, have financial obligations to their owners. Verisign is not presently prevented from selling preferential resolution services, nor is it prevented from mining the query stream to create a near real-time feed of marketing data about "what's hot and what's not". And ISC may or may not have the assets to recover from a human or natural disaster. I have published on several occasions a set of service-level obligations to which root server operators ought to legally and enforceable commit themselves. (I'll attach the list at the end of this note.) As I have said many times, the current root servers have, so far, done a stellar job. But history has taught us again and again and again that stability requires that we build upon institutions and not upon mortal people. It really matters little if operators form a guild (such as the OARC you mention) - unless there are clear standards of performance and means through which the public can require adherence to those standards. It is this absence of standards of performance coupled with a lack of means to demand and obtain adherence to those standards. For the root servers, these standards would be largely consistent with what they do today - the standards would primarly ensure the status quo. But in all areas of interent governance we tend to refrain from thinking about measurable, objective standards of performance. For example, as (and if) VOIP becomes a telephone replacement to the degree that it becomes a critical infrastructure, we will need to find ways to obligate providers to work together to provide assurances (not gurantees) of end-to-end packet flows that are adequate to sustain a usable VOIP conversation. Here's my list of root server requirements: (from http://www.cavebear.com/cbblog-archives/000192.html - the formatting got a bit mangled during the cut-paste into Thunderbird.) Servers must be operated to ensure high availability of individual servers, of anycast server clusters, and of network access paths. Root zone changes should be propagated reasonably quickly as they become available. User query packets should be answered with dispatch but without prejudice to the operator's ability to protect itself against ill formed queries or queries that are obviously intended to cause harm or overload. User query packets should be answered accurately and without manipulation that interferes with the user's right to enjoy the end-to-end principle and to be free from the undesired introduction of intermediary proxies or man-in-the-middle systems. Operators should coordinate with one another to ensure reasonably consistent responses to queries made to different root servers at approximately the same time. There should be no discrimination either for or against any query source. Queries should be given equal priority no matter what name the query is seeking to resolve. There should be no ancillary data mining (e.g. using the queries to generate marketing data) except for purposes of root service capacity planning and protection. The operator must operate its service to be reasonably robust against threats, both natural and human. The operator must demonstrate at reasonable intervals that it has adequate backup and recovery plans. Part of this demonstration ought to require that the plans have been realistically tested. The operator must demonstrate at reasonable intervals that it has adequate financial reserves and human resources so that should an ill event occur the operator has the capacity (and obligation) to recover. Obligations go two-ways. The oversight body should ensure that there is wide and free dissemination of the root zone file so that people, entities, and local communities can cache the data and, when necessary, create local temporary DNS roots during times of emergency when those local communities are cut-off from the larger part of the internet. --karl--
|