[Dnssec-deployment] dealing with broken TLD name servers
ajs at shinkuro.com
Thu Jul 1 13:23:44 EDT 2010
On Thu, Jul 01, 2010 at 12:37:25PM -0400, Eric Brunner-Williams wrote:
> Is the value proposition of making a proof assertion about the existence
> or correctness of any entry in the .bank zone _indistinguishable_ from
> that of the .nai zone?
Ok, that's a fair (and clear) question.
There are two ways to think about this issue, I think.
One is that we especially want DNSSEC to be deployed where we really
want assurances because of possible high-value connections on the
Internet. Under this analysis, it is surely defensible to argue that
the .bank zone needs to be signed and validatable more than (say)
Another, however, is that we want to encourage the deployment of
DNSSEC everywhere on the grounds that this kind of assurance makes the
global DNS itself stronger, increases confidence in the global
Internet, and so on. If one subscribes to this view, then the
trade-off cannot be made only zone by zone: there is some additional
value that inheres just in having wider deployment. This is
particularly true if we want to encourage a global default of "always
validate and mistrust things that don't provide positive validation",
because for that to be a sensible strategy, one needs zone signing to
be almost ubiquitous. If you are someone who wants to be able to
adopt this strategy (because, for instance, you're concerned about the
ways in which DNS fails in the absence of the security extensions),
then you have a positive desire that new zones arriving on the
Internet are signed.
The latter approach of course imposes costs on the zone operator that
it would not otherwise have, just as BCP38 imposes costs on the
network operator. This is a standard problem, however, whenever you
want to avoid tragedies of the commons. One way to prevent such
tragedies is to force people who want to use the commons to conform to
certain rules, and face serious consequences if they don't.
Now, whether that ought to be a real goal of ICANN is something
rational people could disagree about. But I want to make the
distinction explicit. (For my own part, I don't know which way I want
to think about this.)
ajs at shinkuro.com
More information about the Dnssec-deployment