[dns-operations] cool idea regarding root zone inviolability

Paul Vixie paul at redbarn.org
Sun Nov 30 18:31:14 UTC 2014

> Florian Weimer <mailto:fw at deneb.enyo.de>
> Sunday, November 30, 2014 2:08 AM
> Wouldn't be a first to step to cover root server *operators* (and root
> DNS server sites) to audits, lift them out of obscurity, and introduce
> some form of accountability?

accountability may be too strong a word for the art of the possible in
this case. a long time ago someone from icann (who is now long gone)
presented me (as isc president) with a proposed MoU that allowed either
party unilateral termination without cause, and specified that f-root's
address block ( would become icann's property if the
agreement were ever terminated. after a few hours of "wtf?" from both
sides, i ended negotiations around the MoU and determined that no root
name server operator could ever be "accountable to" the icann
corrupt-o-thon, and that our accountability had to be much broader.

years later, using a different negotiator on the icann side, an MoU was
negotiated between icann and isc. it's online, see reference #8 at
<http://icannwiki.com/ISC>, noting that all of the "Key People" listed
on that page have moved on from ISC, but their current team is excellent.

additional anti-obscurity measures such as audits and additional MoU's
are worth discussing. the root server operators now have a very cordial
relationship to ICANN and they provide the core of the RSSAC. see
<https://www.icann.org/resources/pages/rssac-4c-2012-02-25-en> for some
contact info on getting started with that sort of initiative.
> It's not a bad idea to make sure that the data that goes into the root
> system isn't compromised, but right now, anyone can already review
> that, and there is even some public documentation for the update
> process. Contrast this with the situation on the operator side, where
> important information such as site selection criteria is only
> available under NDA (if at all).

each rootop has its own method of site selection. this is both an
anti-capture mechanism and a diversity-assurance mechanism. i believe
that most rootops would be willing to speak on the record about their
site selection criteria if asked, and without an NDA. note that i'm
speaking of my beliefs, and not as a spokesman for any rootop other than
F (before) and C (now), because the rootops as an aggregate entity have
no spokesperson.

Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141130/d6e3e61a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141130/d6e3e61a/attachment.jpg>

More information about the dns-operations mailing list