i'm going to bend my own policy a bit and reply to a role account: info@xxxxxxxx (jfcm) writes: > ... The interest is not sites nor network protection layers, but nations > protection from what happens on or with the networks. This is in line > with the White House document http://whitehouse.gov/pcipb with the > addition of the risks created by the US (and every other national) cyber > security effort, and from not mastering the root. In most of the cases > the identified risks come from a centralized [root] which has to be made > distributed. this statement is akin to many others made in ignorance of what dns is. you are treating it as a mapping service. perhaps you have been successful at treating dns as a mapping service in some local context, and this may have led you to the impossible conclusion that dns itself is a mapping service. dns is a coherent, distributed, autonomous, reliable database. "distributing the root" as you claim to believe is necessary would create multiple domain name systems, not *a* domain name system with a distributed root. there is no way to have *a* domain name system with a distributed root unless we (ietf or other similar agencies) first defined what that meant. when you're ready to commission a multiyear study which would yield documents of the same size and scope as rfcs 1033+1034+1035+2181, then you'll have demonstrated that you have some understanding of what you're asking for here. and note that you would then have to "sell" the resulting system to the internet populance which includes end users, domain holders, registrars, registries, ISPs, and as you point out, nations. lots of luck, but "that ship already sailed." in no particular order, i'll address a couple of your other comments. > 5. the possibility of a redundant DNS system. Today the Internet has two > root files (the same file but presented on two main systems - DNS and FTP). > If one is hacked there is not reference. A redundant system would consist > in two or more root masters refereeing to different sets of TLD name > servers (all of them carrying the same files, but possibly of different > origins for security reasons). there is a reference. several references, actually. there is no possibility of a "hack" going undetected or uncorrected. but more important, if you had several "root files" which indicated different servers for some TLD's, you would have (by definition) several domain name systems, not a domain name system with high redundancy. until you demonstrate some understanding of that fundamental and definitional aspect of dns, you won't be taken seriously among the community who does understand those things. > Thank you for your comments. > jfc please learn the basics before you come in here and start making proposals. -- Paul Vixie