Click the comments link on any story to see comments or add your own.
Subscribe to this blog
25 Oct 2005
A small but intriguing paragraph in the VeriSign settlement says that ICANN gets to maintain the root zone. I thought they did now, but when I look at the copies of the root zone I download from Verisign's FTP server, I see that Verisign does, following advice from ICANN.
This has two and a half effects. The most obvious is politicalif ICANN rather than VRSN is distributing the root zone, it removes the symbolic significance of VeriSign running some of the root servers. The second is DNSSEC key management. Until now, the contents of the root zone have been pretty boring, a list of names and IP addresses of name servers. If DNSSEC is deployed in the root, which is not unlikely in the next few months, ICANN rather than VeriSign will hold the crypto keys used to sign the root zone. If a tug of war develops, whoever holds the keys wins, since without the keys, you can't publish a new version of the root with changed or added records unless you publish your own competing set of keys and can persuade people to use them. (Take that, ORSC.)
The half thing is that the agreement requires that when VeriSign sends ICANN zone info updates, ICANN has to apply them within a week. Since IANA has been taking a month to handle updates, this means IANA will have to get their act together enough to provide bad rather than horrible service on domain updates unless they provide a special express channel for TLDs that have contracts with ICANN, and give the current horrible service to everyone else.
My other sites
© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.