Dave,
While agreeing with Ted's and Joe's comments (and several
others), let me try to a different take on this. Inline below...
--On Tuesday, January 2, 2018 16:54 -0500 Dave Burstein
<daveb@xxxxxxxxxxxx> wrote:
Ted
I'm a network guy, not a DNS/TCP/etc geek, which is why I
reached out.
First of all, note that there are two entirely different
scenarios driving these discussions (or, if you prefer, plans or
threats). One is just posturing. If that is the goal,
especially if it is combined with a desire to preserve global
connectivity and a global name space [1], they can just copy the
root zone onto their services, announce that they are running
root servers of their own, hold a parade, and we all move on.
Technically and operationally, that approach was easier to get
right when the number of entries in the root zone was small and
changes were relatively infrequent, but, in part because the DNS
was designed so that, if used as intended [2], it is fairly
robust about slow updates.
If, having established a national, but consistent, copy of the
root, one decides to add a few TLDs to one's local copy for
national use, perhaps as links to or duplicates of existing
zones from deeper in the tree, that is fairly close to harmless
in practice as long as those apparent TLDs don't "leak" or
conflict with names in other people's root zones. We have
worked examples of that behavior and its non-disruptive effects.
At the other extreme, one's intention might be to either isolate
oneself or one's country (perhaps along with some friends) or
disrupt others. These are, again, different, but let's come
back to that.
The second important point is that, while the DNS is important
for finding things by name, it has almost nothing to do with
Internet connectivity. If I know, or can figure out a reliable
way for you to tell me, your IP address or the address of a
server you want me to look at, then, for most purposes and
applications, we don't need the DNS (public and single-root) or
otherwise. A good analogy of a local address book would do as
well. For other purposes, I might need to know what you call
the host, but that is probably trivial if I can obtain the
address. A number of recent decisions and protocol designs have
increased our dependence on the DNS for more than name to
address translation functions, but, if getting away from the
public DNS and its root arrangements is really an important goal
in which one is willing to invest resources, it appears to me
that none of those are insurmountable either.
It is also worth remembering that many people who are using
Internet facilities to get information in and out of countries
believed to be excessively hostile to the free flow of
information are already using mechanisms that are not dependent
on the DNS, so it is unlikely that a disruption in DNS service
would have any negative effects on them at all.
But there is a more fundamental issue in all of this. If some
country decides it wants to withdraw from the DNS, or even
disconnect from the Internet, it isn't clear why the rest of the
community should do anything, especially from a technical
standpoint, other than wish them the best, send them on their
way, and go about our business. There might also be good
reasons to wish them a speedy revolution, but that is a
different matter. Attempts to disrupt anyone else are another
matter; DNSSec is one of our defenses against one family of such
attacks.
Finally, having been somewhat involved with the decisions to
delegate TLDs to countries whom the US Government viewed as
hostile at the time, I think that, in the present climate, any
attempt by ICANN to remove TLDs on that basis would fairly
rapidly result in ICANN's downfall (I do not believe that anyone
in ICANN's leadership is seriously considering such a thing
either).
re: RFC 2826 requirement for a "globally unique public name
space," I would think that could have several different
technical solutions beyond a single root. The Google & Amazon
clouds and worldwide distributed databases show many
possibilities, I would think. Two occur to this layman:
Roots that regularly update each other, so that both have the
same data. Something similar is in the current replication
system and in the Google server system. If that were cut,
Russia would have many choices to go on, including buying
transit in a neutral country.
Separate roots that maintained logically separated data. For
example, .ru, .cn, all TLDs with Chinese Russian or Portuguese
could be in the new system. Queries could automatically go
based on TLDs. Cached and duplicate servers could pull from
both,
But I could be wrong about this, which is why I'm reaching out
before printing anything.
Whether you are wrong or not is almost irrelevant in the light
of understanding that all of the alternatives one might
hypothesize for the DNS have their own advantages and
disadvantages too and, more important, the observation that the
DNS is deployed on enough systems that a transition plan to a
different model would be hard and, under the most optimistic
assumptions, would probably take years.
The Russian decision came from the State Council with a 6 month
deadline. It still could be stopped but I think should be
addressed before it creates a crisis.
Crisis for whom? Russian companies wishing to be reached from
outside the country would rapidly register in some generic TLD
(and have probably already done so) and start publicizing those
addresses unless prevented from doing so and might suffer a loss
of external customers. Russian residents wanting to reach
outside Internet sites might be more or less inconvenienced, but
see above. Seems to me it would mostly hurt Russians and
Russian companies without creating anything resembling a crisis
for anyone else.
------------------
The "Nobody who pays any attention to ICANN (inside or out)
thinks ICANN should get wound up in politics over who is the
Correct Internet People," seems right to me. But we may not
have any choice in the matter, according to the lawyers for
Facebook and the Internet Society.
IANAL, but I dou't believe your analogies hold.
At the request of the U.S. government, Facebook just canceled
the account of Ramzan Kadyrov, ruler of Chechnya, with 4M
followers. They claimed it was required by U.S. law. The U.S.
gov put him on an enemies list. The guy appears to be a
murderous thug who should be in jail, not running a country,
but no evidence was presented he did anything wrong on
Facebook. You have to protect the free speech of people you
despise or it can be lost by everyone.
Sure, but this targets a specific individual, not a country, and
has nothing to do with the DNS.
At the Internet Society, Kathy Brown revoked the travel funds
that had been awarded to an Iranian to go to an IGF in Mexico
City. It broke the Iranian embargo and ISOC didn't even seek n
exemption.
Has nothing to do with the DNS either. If you want to take it
up with the ISOC BoT, this is not the right list.
ICANN probably would have no choice but to obey a court order
to shut down connections to Palestine, where a majority
supported Hamas, on U.S. terrorist lists. What if the factions
we oppose took over Libya, Somalia, or Mali.
But ICANN has absolutely no power, even if it wanted to, to
"shut down connections" to Palestine or anywhere else (see
above). They could, in principle, remove the "ps." TLD from the
root, but I think it would go badly for them (see above), even
with an order from a US Court, and they would presumably argue
that such a court was overreaching its reasonable authority
especially in the absence of evidence that the proposed
solution would be effective. Even if ICANN did that, presumably
the affected parties in Palestine would reregister somewhere
else (most likely in a different ccTLD or in some gTLD not
obviously subject to US law). And our colleagues at the ITU
would point out that these sorts of situations are high on the
list of reasons why they have been suggesting for years that the
top level of the DNS needs treaty protection.
I've said from the beginning I think an ICANN boycott of
Russia was unlikely but it's not crazy to fear it. ICANN is a
U.S. corporation under U.S. law.
So I believe it's time to think about this.
Good analogies escape me, but it is perhaps not crazy to fear an
asteroid collision that would wipe out most of life on earth
either. That doesn't imply that spending a lot of time worrying
about it, especially without proposals for useful defenses, is a
particularly good use of time.
best,
john
[1] Note that their may be important trade or other economic
motives for wanting to preserve global connectivity that might
complicate more obvious political considerations. For example,
a colleague suggested some years ago that we might be nearing
the point at which some types of Internet disruptions could be
considered non-tariff trade barriers.
[2] "Used as intended" is another matter. See, e.g.,
https://datatracker.ietf.org/doc/draft-klensin-dns-function-considerations/