Dear European @larges, During the past days we had a few exchanges over the DNSSEC issue as seen from an @large Internet lead user point of view and what should then be reported to the BoD. I do not think this ccNSO document is perfect for us, but it could be a DNSSEC oriented good basis for an @large debate as it is not that far from our preoccupations. http://ccnso.icann.org/workinggroups/ccnso-iana-wg-dnssec-paper-04feb08.pdf An @large debate should first : 1. understand the problem from a user point of view, i.e. (1) get a complete picture of the DNS vulnerability as being evaluated today, and the areas of increasing risk. (2) to be sure the IP address obtained from a DNS resolution is correct. This can be done in three manners : - in making sure that the data we receive are the authoritative data - in making sure that the data we receive come from the authority - in making sure no one can tamper with them. There is no 100% secure solution today, mostly because the DNS as a system was not designed to be attacked, and to be attacked by computers having the processing capacity we have today and we will have in the future. (3) to know what to do if the IP address is not declared secure. So far there is no work carried in that direction. 2. evaluate the advantages and the limits of each manner and decide if the principles of their constraints are acceptable from a usage point of view. The most difficult issue in this kind of accuracy computation is the considered basis. What may lead to a very great technical local accuracy may also lead to a very great practical global inaccuracy. Technicians are interested in the best technical local accuracy. This is the case with DNSSEC. Politicians are interested in the best precision control (signing the root can give them that). Users are interested in the best practical global accuracy (practical including their own practice of the proposed solution). 3. Today there are three main propositions. - IETF DNSSEC which signs the data and is extremely complex. The DNS and the world becomes centralized by the IANA - DJB's DNSCurve which signs the nameserver access and which is very simple. The DNS is much more secure. - Internet Plus france@large emerging proposition which includes the suggestion to organise one's DNS system around one's own local root obtained from one's trusted referential system. There is no other change than a full possible support of the virtual root, quicker service, better adequation to Web.2.0 behavior. 4. Each of them may need refining. - Neither IETF and DJB's proposition document how users/applications should react to a non-positive. Internet Plus has not this problem since it considers an "as-is Internet". - There is no technical objection to use two solutions or even the three solutions at the same time. - DNSSEC is a traffic amplifier, depend on two unique parameters (root hierarchy and root time), has single point of global failure and (even with NSEC3 added cost to the attacker) permits to obtain an AXFR of every zone. - Impact of IPv6 and IDNA has not been tested. 5. There should be some ALAC liaison with SSAC, ccTLDs (ccNSO only represent a fragment of them), GNSO constituencies over the general DNS vulnerability issues. jfc