Dave, While agreeing with Ted's and Joe's comments (and several others), let me try to a different take on this. Inline below... --On Tuesday, January 2, 2018 16:54 -0500 Dave Burstein <daveb@xxxxxxxxxxxx> wrote: > Ted > > I'm a network guy, not a DNS/TCP/etc geek, which is why I > reached out. First of all, note that there are two entirely different scenarios driving these discussions (or, if you prefer, plans or threats). One is just posturing. If that is the goal, especially if it is combined with a desire to preserve global connectivity and a global name space [1], they can just copy the root zone onto their services, announce that they are running root servers of their own, hold a parade, and we all move on. Technically and operationally, that approach was easier to get right when the number of entries in the root zone was small and changes were relatively infrequent, but, in part because the DNS was designed so that, if used as intended [2], it is fairly robust about slow updates. If, having established a national, but consistent, copy of the root, one decides to add a few TLDs to one's local copy for national use, perhaps as links to or duplicates of existing zones from deeper in the tree, that is fairly close to harmless in practice as long as those apparent TLDs don't "leak" or conflict with names in other people's root zones. We have worked examples of that behavior and its non-disruptive effects. At the other extreme, one's intention might be to either isolate oneself or one's country (perhaps along with some friends) or disrupt others. These are, again, different, but let's come back to that. The second important point is that, while the DNS is important for finding things by name, it has almost nothing to do with Internet connectivity. If I know, or can figure out a reliable way for you to tell me, your IP address or the address of a server you want me to look at, then, for most purposes and applications, we don't need the DNS (public and single-root) or otherwise. A good analogy of a local address book would do as well. For other purposes, I might need to know what you call the host, but that is probably trivial if I can obtain the address. A number of recent decisions and protocol designs have increased our dependence on the DNS for more than name to address translation functions, but, if getting away from the public DNS and its root arrangements is really an important goal in which one is willing to invest resources, it appears to me that none of those are insurmountable either. It is also worth remembering that many people who are using Internet facilities to get information in and out of countries believed to be excessively hostile to the free flow of information are already using mechanisms that are not dependent on the DNS, so it is unlikely that a disruption in DNS service would have any negative effects on them at all. But there is a more fundamental issue in all of this. If some country decides it wants to withdraw from the DNS, or even disconnect from the Internet, it isn't clear why the rest of the community should do anything, especially from a technical standpoint, other than wish them the best, send them on their way, and go about our business. There might also be good reasons to wish them a speedy revolution, but that is a different matter. Attempts to disrupt anyone else are another matter; DNSSec is one of our defenses against one family of such attacks. Finally, having been somewhat involved with the decisions to delegate TLDs to countries whom the US Government viewed as hostile at the time, I think that, in the present climate, any attempt by ICANN to remove TLDs on that basis would fairly rapidly result in ICANN's downfall (I do not believe that anyone in ICANN's leadership is seriously considering such a thing either). > re: RFC 2826 requirement for a "globally unique public name > space," I would think that could have several different > technical solutions beyond a single root. The Google & Amazon > clouds and worldwide distributed databases show many > possibilities, I would think. Two occur to this layman: > Roots that regularly update each other, so that both have the > same data. Something similar is in the current replication > system and in the Google server system. If that were cut, > Russia would have many choices to go on, including buying > transit in a neutral country. > Separate roots that maintained logically separated data. For > example, .ru, .cn, all TLDs with Chinese Russian or Portuguese > could be in the new system. Queries could automatically go > based on TLDs. Cached and duplicate servers could pull from > both, > But I could be wrong about this, which is why I'm reaching out > before printing anything. Whether you are wrong or not is almost irrelevant in the light of understanding that all of the alternatives one might hypothesize for the DNS have their own advantages and disadvantages too and, more important, the observation that the DNS is deployed on enough systems that a transition plan to a different model would be hard and, under the most optimistic assumptions, would probably take years. > The Russian decision came from the State Council with a 6 month > deadline. It still could be stopped but I think should be > addressed before it creates a crisis. Crisis for whom? Russian companies wishing to be reached from outside the country would rapidly register in some generic TLD (and have probably already done so) and start publicizing those addresses unless prevented from doing so and might suffer a loss of external customers. Russian residents wanting to reach outside Internet sites might be more or less inconvenienced, but see above. Seems to me it would mostly hurt Russians and Russian companies without creating anything resembling a crisis for anyone else. > ------------------ > The "Nobody who pays any attention to ICANN (inside or out) > thinks ICANN should get wound up in politics over who is the > Correct Internet People," seems right to me. But we may not > have any choice in the matter, according to the lawyers for > Facebook and the Internet Society. IANAL, but I dou't believe your analogies hold. > At the request of the U.S. government, Facebook just canceled > the account of Ramzan Kadyrov, ruler of Chechnya, with 4M > followers. They claimed it was required by U.S. law. The U.S. > gov put him on an enemies list. The guy appears to be a > murderous thug who should be in jail, not running a country, > but no evidence was presented he did anything wrong on > Facebook. You have to protect the free speech of people you > despise or it can be lost by everyone. Sure, but this targets a specific individual, not a country, and has nothing to do with the DNS. > At the Internet Society, Kathy Brown revoked the travel funds > that had been awarded to an Iranian to go to an IGF in Mexico > City. It broke the Iranian embargo and ISOC didn't even seek n > exemption. Has nothing to do with the DNS either. If you want to take it up with the ISOC BoT, this is not the right list. > ICANN probably would have no choice but to obey a court order > to shut down connections to Palestine, where a majority > supported Hamas, on U.S. terrorist lists. What if the factions > we oppose took over Libya, Somalia, or Mali. But ICANN has absolutely no power, even if it wanted to, to "shut down connections" to Palestine or anywhere else (see above). They could, in principle, remove the "ps." TLD from the root, but I think it would go badly for them (see above), even with an order from a US Court, and they would presumably argue that such a court was overreaching its reasonable authority especially in the absence of evidence that the proposed solution would be effective. Even if ICANN did that, presumably the affected parties in Palestine would reregister somewhere else (most likely in a different ccTLD or in some gTLD not obviously subject to US law). And our colleagues at the ITU would point out that these sorts of situations are high on the list of reasons why they have been suggesting for years that the top level of the DNS needs treaty protection. > I've said from the beginning I think an ICANN boycott of > Russia was unlikely but it's not crazy to fear it. ICANN is a > U.S. corporation under U.S. law. > > So I believe it's time to think about this. Good analogies escape me, but it is perhaps not crazy to fear an asteroid collision that would wipe out most of life on earth either. That doesn't imply that spending a lot of time worrying about it, especially without proposals for useful defenses, is a particularly good use of time. best, john [1] Note that their may be important trade or other economic motives for wanting to preserve global connectivity that might complicate more obvious political considerations. For example, a colleague suggested some years ago that we might be nearing the point at which some types of Internet disruptions could be considered non-tariff trade barriers. [2] "Used as intended" is another matter. See, e.g., https://datatracker.ietf.org/doc/draft-klensin-dns-function-considerations/