[Asrg] Re: [Politech] Congress finally poised to vote on anti -spam bill [sp]

[Hallam-Baker, Phillip]

> Do you have any more details on this for those who don't 
> normally follow DNSSEC?

It is a sad story. Politics and the magic circle. If people are wondering
why the major industry players have abandoned the IETF read on. This is only
one example of the type, other companies have similar issues.


When VeriSign bought Network Solutions one of the main opportunities we saw
was to deploy DNSSEC. There is a limit to what you can achieve in the
context of DNS, anyone can get a domain name without providing
authentication so proving that someone is the legitimate holder of
example.com does not mean you want to give them your credit card number. On
the other hand it would be quite feasible to deploy a class 1 level
assurance system with low cost and ubiquitous coverage.

The problem with the DNSSEC specification is the NXT record that links from
one signed zone to the next. In the original specification you have to
create a link record for every single domain in the zone. This causes the
amount of data in the zone to increase enormously.

This is fine if you have a typical zone with a few hundred or thousand
entries. It is a completely different matter if you are running the dotCOM
zone and you have several Gb of zone data already, a contract that specifies
a very highl level of reliability and a constant series of DDoS and other
attacks going on (about 1000 penetration attempts per day).

There is no way that the people with responsibility for running the dotCOM
zone are going to deploy a system that has such an immediate effect on
operations. The amount of data expands by an order of magnitude.

So we proposed a fix. The original security review was performed by myself
and Warwick Ford. Instead of linking between every record you only link from
one secured zone to the next. This was called 'optin'. This has exactly the
same security as the original proposal but the impact on deployment is much
less. The cost of deployment scales with the number of people using DNSSEC.
The only change in the security is that with OPTIN there is a diferent way
that an attacker can perform an insertion attack, that is causing someone to
believe a zone is registered when it is not. The attack is not very
plausible and at the end of the day the only impact is that we are out the
six bucks for the registration. Anyone can insert domains into dotCOM, just
see a registrar.

The objection to the idea was that this is a VeriSign problem and the WG had
zero responsibility for creating a specification that was deployable by the
operators of large zones which should not exist anyway.

There was also a claim that there was a personality issue, that if
proponents of OPTIN had adopted the correct position as a supplicant that
their petition might have been considered more favorably. The evidence is
against this, every time the go with the flow strategy was attempted the DNS
people would call me up six months later and say 'we have been screwed
again'.

This was understood by virtually everyone in the DNSSEC working group. The
chair disagreed. It was at this point that I discovered that the IETF is not
open and not inclusive. Every time the working group agreed on OPTIN the
specification would be taken on a detour. The first time for consultation in
a closed committee called the DNS Directorate. To cut a long story short the
plan was filibustered for three years and then after finally comming to last
call. After passing last call without objection the chair scheduled two
further last calls before we finally came to a result where a clear majority
of the group were in favor, four fifths were either in favor or willing to
allow it to go forward and two individuals were opposed.

So the chair used his perogative to impose his 'consensus' on the group.

The result is that OPTIN is on the experimental track, not a proposed
standard as the clear consensus of the group was that it should be. This in
turn means that it is far more difficult to persuade ICANN to allow
deployment of the specification with its experimental status.

The IETF was designed the way it is to allow a small clique to hold power
while pretending to be open and inclusive. All that Nomcon gumpf is really
designed to make it impossible for the nominating committee to make more
than a few changes to the IESG each time arround.

The result of this type of behaviour is that the IETF has practically no
influence in the industry. DNSSEC and IPv6 have been 'about to deploy' for
over a decade now. There is still no clue as to how IPSEC works in any
application beyond VPN, which is not what it is designed for. SSL makes a
better remote access VPN protocol than IPSEC, works through NAT boxes
without kludges for a start.

The other industry players have similar stories.


The industry is taking notice of the ideas comming out of this WG. But they
are not very likely to accept a standards process unless it is based on
bi-weekly teleconference calls and all major decisions are subject to vote.