|
A small but intriguing paragraph in the VeriSign settlement says that ICANN gets to maintain the root zone. I thought they did now, but I guess VRSN does, following advice from ICANN.
This has two and a half effects. The most obvious is political—if ICANN rather than VRSN is distributing the root zone, it removes the symbolic significance of VeriSign’s A root server. The second is DNSSEC key management. Until now, the contents of the root zone have been pretty boring, a list of names and IP addresses of name servers. If DNSSEC is deployed in the root, which is not unlikely in the next few months, ICANN rather than VeriSign will hold the crypto keys used to sign the root zone. If a tug of war develops, whoever holds the keys wins, since without the keys, you can’t publish a new version of the root with changed or added records unless you publish your own competing set of keys and can persuade people to use them. (Take that, ORSC.)
The half thing is that the agreement requires that when VeriSign sends ICANN zone info updates, ICANN has to apply them within a week. Since IANA has been taking a month to handle updates, this means IANA will have to get their act together enough to provide bad rather than horrible service on domain updates unless they provide a special express channel for TLDs that have contracts with ICANN, and give the current horrible service to everyone else.
Sponsored byCSC
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byRadix
very well seen. But I think this is ICANN IANA job protection stuff. The engaged battle is for the control of the IANA. ICANN, NTIA, Unicode, ITU are the challengers. DNSSEC is certainly a key point. Not only for what it operationnally means, but also for the difficuly of moving the DNSSEC root management.
Except if IANA moves to another structure as an entity.
A question is the impact on the cooperation agreement of Verisign witht the USG. I feel this might void the need for such an agreement. Is the USG OK? The big advantage for Verisign to be releived from the cooperation agreement is that they could go alt/open-roots.
The real “root” of the future is today with NeuStar. If Verisign enters a star in the NeuStar root, aside .gprs Sitefinder II will “pollute” quickly. I am working on a dedicated registry server and services system. Root access is obviously a problem in case of loss of connectivity. The solution is probably to get an MMS connectivity and the root there, as 1.5 billions of other users.
If Verisign comes with an attractive deal so my machine is made free to users because of a special deal for their services, I am interested.
John, i’m not sure why the myth of “A” being special continues to be perpetrated. The root zone is distributed via a “distribution master” system and has been since early 2000.
—bill
I don’t know why the myth of “A” being special continues to be perpetrated, either, but I also don’t understand why you’re bringing it up.
The question at issue is who creates the root zone, not how it’s distributed. When I download the root zone from VRSN’s FTP server, which is supposed to be the same root zone that goes into the root servers, it’s got Verisign’s fingerprints all over it, e.g., the SOA contact is NSTLD.VERISIGN-GRS.COM. This agreement says now it’ll be ICANN’s fingerprints.