http://market-ticker.org/akcs-www?post=245342 What could possibly go wrong with setting an example like this? Cogent Communications will pull the plug on its connectivity to customers in Russia in response to President Putin's invasion of Ukraine. The US-based biz is one of the planet's largest internet backbones – the freeways of the internet – and says it carries roughly a quarter of global 'net traffic. Modern-day "aggregators", of which Cogent is one, often are the source of address delegations as well. Cogent has confirmed they're canceling IP addresses delegated out; when you are using an aggregator you don't actually "own" any delegations you may have as for routing purposes the aggregator has the registration on those. For residential users this is not a major issue, but for commercial places where reverse mapping is a factor it can be at least a moderate hassle. Much-more ominous, however, is this: ICANN on Wednesday rebuffed a request from Mykhailo Fedorov, First Vice Prime Minister of Ukraine, to revoke all Russian web domains, shut down Russian DNS root servers, and invalidate associated TLS/SSL certificates in response to the Russian invasion of Ukraine. First, ICANN has no ownership of DNS root servers; they're privately owned and operated. What they could do is remove "undesirable ones" from the "hints" file that is publicly distributed. Actually getting ISPs around the globe to change their hint files is quite-possibly another matter. Again, this is a distributed data set and what is distributed in terms of the root hints are suggestions, not commands. Could ICANN revoke the .RU top-level domain? Yes, but doing so risks a schism. Again there is nothing that can be done to enforce upon ISPs (or for that matter anyone willing to run their own local resolver, such as I do here at my home) what top-level domains exist and who is the delegated authority for them. Back during the "domain war" times when MCSNet was operating we were part of, and participated in, expanding the TLD space when what was to become ICANN refused, claiming "technical impossibility without overload problems." I knew this was bull**** and proved it along with others; the entire debate was in fact political and the so-called "mavens" that were running it and exploiting domain registrations to make an obscene, monopolist profit were claiming technical limitations that did not exist. I and a handful of others set it up, proved it worked and were slowly getting adoption by ISPs around the globe when one of the protagonists took to a bit of cyber hackery. I left the project immediately when I discovered it because not only was that going to doom its acceptance but it was wildly unethical at best and possibly felonious and I wanted nothing to do with any group associated with that. But eDNS, which is what we called it, studiously avoided, intentionally, any interference with the existing TLDs. That is, we were an extension but never a conflict source for same and I made very clear to all the participants that my engagement, software development and participation was utterly dependent on same -- and if there was any attempt to violate that by any member of the group we would immediately and loudly walk away even though doing so would mean abandoning a very sizeable -- maybe billion dollar or better -- business opportunity. Non-interference in this process was and is very important for Internet continuity for a whole host of reasons, not the least of which is that TLD delegations, and the sub-delegations within them are in fact tied to SSL certificates and if you can corrupt one you could also impersonate someone with disastrous results. Today domains can be signed with cryptographic keys (and in fact market-ticker.org is) but that integrity relies on the chase upward to the TLD being single-source. That is, if I can successfully replace ".org" and its cryptographic zone signature then I can also replace "market-ticker.org" and its cryptographic zone signature with a counterfeit. This then, in turn, means I can replace the certificate with a counterfeit and having done so all the automated checking that is usually done will in fact test as "good"! That would be catastrophic for Internet data and transport security, including every single financial transaction that flows through that TLD since it would destroy the chain back to the root of trust and by doing so make impersonation very possible. ICANN wisely told Ukraine to go blow goats, but what also concerns me is that the people in Ukraine who made the request do not understand how this all works because in addition to asking for imposition of a deliberate schism they also asked for all Russian TLS/SSL certificates to be revoked. ICANN does not issue said certificates nor does it control the issuers, directly or indirectly, that people use as the "root of trust" for said certificates. As just one example ICANN has no operational control over Verisign which is one of the many firms that issues end-entity certificates. If you go to PayPal's web page their certificate is issued by DigiCert and they, and only they, are the ones who validate that indeed they issued it and PayPal owns it. The various operating system firms distribute a base "trusted root" list and there's a consortium that agrees (most of the time) on what goes in and is removed from there; for example Google (Chrome) and Mozilla (Firefox) both have such a list and are part of the consortium that makes such decisions, as does Microsoft, the various Linux distributions, Apple and FreeBSD. Attempts to tamper with this for political reasons are extremely unwise because while they may indeed be a "weapon" that can be used to inflict pain on various entities for political purpose any abuse of this sort risks a schism on the Internet as a whole and evasion of the sanction, if undertaken and it will be by the targeted parties, wildly increases the risk of compromise of the entire trust structure on which secure transactions rest. The impact of such an event will not be localized to the sanctioned parties; by definition if you do that the impact is likely to be global. I don't expect we've heard the last of this, nor do I expect people to tell the truth about what they intend and how "safe" doing it might be either. And yes, my considered opinion on this is from actual expert experience. Tampering with the roots of trust on the Internet for political reasons, no matter how well-intended you may think it is, risks severely damaging or even destroying the transport security literally everyone relies on in daily life today. Any nation or other entity that tries this should be not only instantly rebuffed but also turned into a permanent economic pariah as their action, no matter the motivation, cannot be kept local to their territory and has a very high probability of wildly screwing everyone.