Interesting: regards, Peter and Karin -------- Original Message -------- From: Markus Grundmann/ORSN <mgrundmann@de.orsn.org> To: <orsn-tech@orsn.org> Date: Fri, 30 Sep 2005 14:03:56 +0200 Organization: ORSN, Open Root Server Network Subject: [ORSN.TECH] We Are Complete List-Archive: <http://trinitron.activezone.net/pipermail/orsn-tech> Dear Listmembers! The ORSN project got two further members. All 13 roots servers are now taken up in our data base. The Family is complete :) --- F.ORSN-SERVERS.NET was operated by: Zen Systems ApS, http://www.zensystems.dk Location: Denmark (Lyngby) More details: http://european.de.orsn.net/hostdetails.php?serv=F --- L.ORSN-SERVERS.NET was operated by: Paul Vixie, http://www.vix.com Location: USA, San Jose (CA) More details: http://european.de.orsn.net/hostdetails.php?serv=L + Currently the configuration is not completed. + BIND didn't response to queries. Regards, Markus Grundmann ORSN, Germany ______________________________________________________________________________ ORSN, Public Mailing-List (Tech-Discussion) -- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) mail: peter@peter-dambier.de http://iason.site.voila.fr http://www.kokoom.com/iason
In message <433D607F.8040008@peter-dambier.de>, Peter Dambier writes:
Interesting:
I don't regard this as good, but note this from the ORSN FAQ: * Has ORSN additional TLDs like .DNS, .AUTO? No. ORSN is a "Legacy Root" and 100% compatible with ICANN's root zone. and Furthermore, no additional (alternative) top level domains will be added to the ORSN root-servers like ORSC, NEW.NET, public-root and other networks did it. It is *not* the same as what you've been advocating. As for why it's not good -- at least one query ('dig ns .') will yield different answers, I also note that it's now operating in "independent mode", which (according to the FAQ) happens if the owners of ORSN think there's some danger to the ICANN roots. Since the danger is explicitly listed as the "political situation of the world", I am concerned that OSRN is reserving to itself the right to diverge from ICANN if they perceive that ICANN is making political decisions under the influence of the U.S administration. (I also note that the OSRN is explicitly European-based, which is not that much of an improvement over the US-based ICANN, and plans to put most of its servers in Europe. 5 of the 13 official root servers have at least partial presence outside the US -- not as many as there should be, but better than having them all on one continent.
I don't regard this as good, but note this from the ORSN FAQ:
* Has ORSN additional TLDs like .DNS, .AUTO?
No. ORSN is a "Legacy Root" and 100% compatible with ICANN's root zone.
and
Furthermore, no additional (alternative) top level domains will be added to the ORSN root-servers like ORSC, NEW.NET, public-root and other networks did it.
It is *not* the same as what you've been advocating.
indeed, it is not. anyone who shows fealty to the universal IANA namespace can count on my support. when i read the above FAQ, i volunteered the same hour. note that this is me acting personally, and not in my capacity as an employee of ISC or any other entity.
As for why it's not good -- at least one query ('dig ns .') will yield different answers,
this is the other reason why i took an interest in ORSN. the trinity of ICANN/VeriSign/US-DoC has spent far more good will than they've brought in, and many folks around the world seem now to be looking for ways to take their fate in their own hands. ORSN shows fealty to the universal IANA namespace, and edits the ". NS" RRset of "their" zone only because there is no other way to accomplish their independence goals. by helping them, i can learn more about how this works out in practice. by operating a server, i can measure and contemplate the traffic. for the record, i won't be switching any of my own recursive nameservers over to ORSN. i'm very satisifed with the service i receive from the IANA nameservers.
I also note that it's now operating in "independent mode", which (according to the FAQ) happens if the owners of ORSN think there's some danger to the ICANN roots. Since the danger is explicitly listed as the "political situation of the world", I am concerned that OSRN is reserving to itself the right to diverge from ICANN if they perceive that ICANN is making political decisions under the influence of the U.S administration.
i'm indifferent to their reasons, as long as they don't add any new TLD's or otherwise display the kind of piracy or foolishness i have so often decried among new.net, unidt, united-root, public-root, alternic, open-rsc... and i forget how many others.
(I also note that the OSRN is explicitly European-based, which is not that much of an improvement over the US-based ICANN, and plans to put most of its servers in Europe. 5 of the 13 official root servers have at least partial presence outside the US -- not as many as there should be, but better than having them all on one continent.
with or without the approval or participation of the folks who started it all, and those who wrote most of the code and specifications and those who are now working hard to keep it running, the world is going to pursue autonomy and independence. the internet allows, among other things, not having to care very much what other people think about what ought, or ought not, to be done. however, there's still a chance to encourage responsible independence, which i think ORSN is demonstrating, as opposed to piracy and foolishness, such as those who falsely respond to queries sent to the IANA root server addresses, or those who shortsightedly add TLD's that only their own customers can see... the list goes on. (in fact, the list is only getting started.) -- Paul Vixie
On Fri, 30 Sep 2005, Paul Vixie wrote:
I don't regard this as good, but note this from the ORSN FAQ:
* Has ORSN additional TLDs like .DNS, .AUTO?
No. ORSN is a "Legacy Root" and 100% compatible with ICANN's root zone.
and
Furthermore, no additional (alternative) top level domains will be added to the ORSN root-servers like ORSC, NEW.NET, public-root and other networks did it.
It is *not* the same as what you've been advocating.
indeed, it is not. anyone who shows fealty to the universal IANA namespace can count on my support. when i read the above FAQ, i volunteered the same hour. note that this is me acting personally, and not in my capacity as an employee of ISC or any other entity.
As for why it's not good -- at least one query ('dig ns .') will yield different answers,
this is the other reason why i took an interest in ORSN. the trinity of ICANN/VeriSign/US-DoC has spent far more good will than they've brought in, and many folks around the world seem now to be looking for ways to take their fate in their own hands. ORSN shows fealty to the universal IANA namespace, and edits the ". NS" RRset of "their" zone only because there is no other way to accomplish their independence goals. by helping them, i can learn more about how this works out in practice. by operating a server, i can measure and contemplate the traffic.
I don't get this. You pretend there is a difference between ICANN/VeriSign/US-DoC and universal IANA namespace. They are one and the same. If you trying to seperate the infrastructure from the namespace, imho the infrastructure _is_ independent. I don't see ISC nor RIPE getting approval from ICANN/VeriSign/US-DoC whenever they deploy a new any-cast instance of a root-server, and prolly because there is no such requirement. So that argument is out the door. Anyway, let me attach a response I send last year about ORSN. The stats may be a little out of date, but the general tone is still valid. Regards, Roy Date: Wed, 13 Oct 2004 13:20:50 +0200 (CEST) From: Roy Arends <roy@dnss.ec> To: Stephane Bortzmeyer <bortzmeyer@nic.fr> Cc: Yiorgos Adamopoulos <adamo@central.tee.gr>, dns-wg@ripe.net Subject: Re: [dns-wg] Re: ORSN-SERVERS.NET On Wed, 13 Oct 2004, Stephane Bortzmeyer wrote:
On Wed, Oct 13, 2004 at 10:28:57AM +0200, Roy Arends <roy@dnss.ec> wrote a message of 19 lines which said:
Please read RFC 2826
Please read about ORSN (http://european.nl.orsn.net/faq.php#opmode). ORSN is *not* an alternative root.
I did. It is an alternative root, since it is not sanctioned nor supported by ICANN. The main reason for the ORSN is outlined in the about page at their site. IMHO, their reasons (a lesser dependency on non-european instances of authoritative root-servers, but correct me if I'm wrong) are less valid nowadays, since some of the ICANN root-server operators chose to use anycast as a viable means to spread the load on the root-zone. f.root-servers.net: 26 sites, (5 in EU, 4 in US) i.root-servers.net: 17 sites, (11 in EU, 2 in US) j.root-servers.net: 13 sites, (3 in EU, 7 in US) k.root-servers.net: 6 sites, (5 in EU and 1 in Qatar) m.root-servers.net: 3 sites, (1 in EU) The rest of roots: 11 sites in US. In total 76 instances of a root-server of which are 25 in the EU, 26 in the US, and 50 outside EU/US. And this network is growing and growing. I can recommend any organisation who has the resources (skill and infrastructure) that would like to help to spread the load of the root-servers to contact the anycast-enabled root operators (ISC, Autonomica/Nordunet, RIPE). In comparison, there are 13 ORSN servers based in europe, of which are 2 unused, and 1 has errors. I do understand the effort ORSN is trying to make. If it is to spread load and create less dependency, they are obviously not up to par with the ICANN root-server network. If they effort is merely a political protest, that is a different layer I know nothing about. Roy
# > > It is *not* the same as what you've been advocating. # > # > indeed, it is not. ... # # I don't get this. You pretend there is a difference between ICANN / VeriSign # / US-DoC and universal IANA namespace. They are one and the same. you must have misread me. see http://fm.vix.com/ today.
On Fri, 30 Sep 2005, Paul Vixie wrote:
# > > It is *not* the same as what you've been advocating. # > # > indeed, it is not. ... # # I don't get this. You pretend there is a difference between ICANN / VeriSign # / US-DoC and universal IANA namespace. They are one and the same.
you must have misread me. see http://fm.vix.com/ today.
I've read it. Twice now. I'd like some help on what part I've misread ? I don't think the independence argument holds, as explained by my previous message, therefor, one of ORSN's main argument: resilience; How is the community served better by converging from a set of 75+ roots deployed worldwide to a set of 13 roots european based. Or are you trying to give US based ORSN clients better proximity :) Roy
# > you must have misread me. see http://fm.vix.com/ today. # # I've read it. Twice now. I'd like some help on what part I've misread ? "i'm indifferent to their reasons, as long as they don't add any new TLD's..." # I don't think the independence argument holds, as explained by my previous # message, therefor, one of ORSN's main argument: resilience; How is the # community served better by converging from a set of 75+ roots deployed # worldwide to a set of 13 roots european based. Or are you trying to give US # based ORSN clients better proximity :) it's enough for me that they're going to do it no matter what you (or i) say, and that they're doing it responsibly (without any namespace pollution). if ORSN is afraid war is going to break out somewhere and that ICANN might delete the ccTLD's for countries that are part of the "axis of evil", then ORSN is probably just confused -- i don't think that's what would happen. but as i've said, i'm indifferent to their reasons, since they only publish data that was at one time or another published by IANA. and note, i won't be switching my own recursive lookups over to ORSN, since i'm completely satisfied with the performance IANA servers, and i do not share ORSN's concerns about "unsound zone changes".
it's enough for me that they're going to do it no matter what you (or i) say, and that they're doing it responsibly (without any namespace pollution). if ORSN is afraid war is going to break out somewhere and that ICANN might delete the ccTLD's for countries that are part of the "axis of evil", then ORSN is probably just confused -- i don't think that's what would happen. but as i've said, i'm indifferent to their reasons, since they only publish data that was at one time or another published by IANA.
I suppose I should mention that ICANN redelegated .iq for some mumble reason, compare, .pn. For those who care about excesses of zeal, the Elashi brothers (operators as well as sponsor delagees of .iq) of someplace in Texas, were charged with giving money to Hamas or a charity linked to Hamas, and sending a PC to Syria, and parts of a PC -- perhaps a mouse pad -- to Libya. The latter acts nominally violate export regulations intended to prevent the acquisition of supercomputers by several states for the purposes of preventing nuclear proliferation, and the government obtained a conviction on the Syrian export count. Export control violations universally result in fines, except in the case of the Elashi brothers, who are still in Federal custody. People who live in Damascus routinely drive to Beruit to buy computers, so the rationality of all this is an exercise left to the reader. It did result in the seizure of the .iq name servers, and has kept .iq dark for three years. No part of this was necessary, or could not have been solved by a trustee pending the eventual outcome of the USG's complaints, and the possible counter-complaints by the Elashis. The US has not yet, after three years, brought the giving money to Hamas issue to trial. Not that it matters, but Hamas is the government of parts of Palestine, no matter how much heartburn this gives some people, and the Elashis are diaspora Palestinians. Eric
On Fri, 30 Sep 2005, Eric Brunner-Williams wrote: > I suppose I should mention that ICANN redelegated .iq for some mumble > reason, compare, .pn. > Not that it matters, but Hamas is the government of parts of Palestine, > no matter how much heartburn this gives some people, and the Elashis are > diaspora Palestinians. ...whereas post-redelegation, .iq is administered by the Iraqi communications ministry from Bhagdad, rather than by Palestinians from Texas. Seems like a clear improvement to me. -Bill
Bill, Have you got an opinion on .mm? Last December (when Vint and I did exchange notes on getting India to allow relief workers into the Andaman and Nicobar Islands, and some British embassy in Baghdad guy who wanted to get .iq for the Occupation regime-de-jour) it so happened that all their servers (in the UK, which isn't part of Burma, or Burma Shave, or ...) were dark. If those facts were present today, would you be ready to delta dot? Eric
> Have you got an opinion on .mm? Last December it so happened that > all their servers (in the UK, which isn't part of Burma, or Burma > Shave, or ...) were dark. If those facts were present today, would > you be ready to delta dot? My inclination has been to solve problems rather than burn things down... Changing the root doesn't solve the problem of all someone's servers being down. Getting a useful (first priority: up, second priority: in and by the country of service) set of servers into the root does solve the problem. I think that we (PCH) and ICANN, and RIPE, and Randy Bush, among many others, have all put quite a bit of work into trying to see that happen. Starting over doesn't build a better system, just a less trusted one. -Bill
Bill, I forgot to mention that the idiot Brit who wanted .iq was going to run it -- all of it -- off of generators from inside the Green Zone. I don't know if my notes made a bit of difference, but I advised that ICANN not redel and open the adverse redel can unnecesarily. I'm not sure if I understand your note, but since you seem to be making a pragmatic "it works better" observation (and I don't know that it does) for one 3166 code point, why not another? Eric
On Fri, 30 Sep 2005, Bill Woodcock wrote:
...whereas post-redelegation, .iq is administered by the Iraqi communications ministry from Bhagdad,
Current Iraq government exists because there is substantial US military presence in the country. Lets assume that at some future point US gets tired in spending billions on dollars on such operation and that some time later on the Iraq government is overthrown and fled the country (taking dns servers for .iq TLD along with them) and establishes "government in exile" headquartered in Texas :) The new Iraq government after period of civil war then requests redeligation of .iq domain from IANA. What actions will they take if US still recognizes old government? BTW - Also think about what makes current Iraq government legitimate as opposed to say representative of the old one (which lucky for US did not establish official government in exile after start of occupation). -- William Leibzon Elan Networks william@elan.net
On Fri, 30 Sep 2005, Bill Woodcock wrote: ...whereas post-redelegation, .iq is administered by the Iraqi communications ministry from Bhagdad, rather than by Palestinians from Texas. Seems like a clear improvement to me. -Bill That's great. So now {bechtel, halliburton, eds, ...} gets paid to hijack it. Glad we're making progress in the "liberation" of the cctld. --matt@snark.net------------------------------------------<darwin>< The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
On Fri, 30 Sep 2005, Eric Brunner-Williams at a VSAT somewhere wrote:
For those who care about excesses of zeal, the Elashi brothers (operators as well as sponsor delagees of .iq) of someplace in Texas, were charged with giving money to Hamas or a charity linked to Hamas, and sending a PC to Syria, and parts of a PC -- perhaps a mouse pad -- to Libya.
For those who care about excesses of zeal, the Elashi brothers (operators as well as sponsor delagees of .iq) of someplace in Texas, were charged with giving money to Hamas or a charity linked to Hamas, and sending a PC to Syria, and parts of a PC -- perhaps a mouse pad -- to Libya.
Thanks Dan, I've read it, several times, and the prior and subsequent filings, and the referenced export regs as well. It all comes down to pretending a PC is a supercomputer, pretending that ordinary Syrians, let alone nuclear weapons proliferating Syrians, didn't, in this period, routinely drive from Damascus to Beruit, and an untested claim of money laundering, and a lot of highly excited politically ambitious people in North America. The Elashis didn't run a great cctld before the present excitement, but a lot of cctld operators could then be, and can now be, similarly characterized. Eric
On Fri, Sep 30, 2005 at 08:38:43AM -0400, Eric Brunner-Williams at a VSAT somewhere wrote:
It all comes down to pretending a PC is a supercomputer,
An ordinary PC, by today's standards average, is defined by US law as a supercomputer, legally a munition ("weapon of war"). Wether you yourself believe the object defined by the pouplar term "supercomputer" is required to habitate a substantially larger space, or substantially larger number of computrons is irrelevant. There is no pretense here, just that I suspect you misunderstand that the term 'supercomputer' is being used as a legal term, not the common term you use in casual language.
pretending that ordinary Syrians, let alone nuclear weapons proliferating Syrians, didn't, in this period, routinely drive from Damascus to Beruit,
That you might be able to buy a cannister of napalm from the grocery store in [Insert random location], doesn't mean the US has to hold all exports of napalm into that location as immune from export controls. Again, there is no pretense here, and there is no need for it. -- David W. Hankins "If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins
David, Before turning to your certainty that laws are self-explanitory and not nuanced, I should mention soething I forgot. The Elashi case rattled the Export Controls Defense bar, because the Elashis didn't actually send anything to Libya, their buyer was some computer broker in Malta, and that's who sent the export controlled material on to a state on the restriced list. The Elashi case established the precedent that a buyer's actions could transfer export control liability to the seller. Turning to your certainty, the original language has been modified to put a Moore's Law (my shorthad) COLA-like MIPS excalator, and modified again to replace "proliferation" (which has a rational relationship with MIPS) with "terrorism", which has no computational characteristics known to me. I don't know why the Elashi's attorney entered a plea on the export issue, as the cost for agreement to a plea appears to be indeffinite sentancing, rather than an ordinary rational cost of business fine. Cheers, Eric
I would like to thank Eric for agreeing so violently with me: We have now established that no "pretense" is required for a conviction. I suggest we move the remainder of this discussion, "What is the law and how can you avoid being prosecuted for funneling 'munitions' to Iraq?", to the North American Shipping Clerks Group mailing lists. If such a group exists. -- David W. Hankins "If you don't do it right the first time, Operations Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins
Not that it matters, but Hamas is the government of parts of Palestine, no matter how much heartburn this gives some people, and the Elashis are diaspora Palestinians.
And they did violate US laws in the US. Ah well, maybe they will get deported when they get released from prison, just like their wives. sam
And they did violate US laws in the US.
An export regulation, one normally punished by a fine.
Ah well, maybe they will get deported when they get released from prison, just like their wives.
There is an interesting register of export violaters, and quite a few are foreign nationals, and quite a few are also ... obscure ... like arguing that a Pentium processor constitutes a nuclear proliferation asset. Over the past three years, only one violation has ressulted in the seizure of all business assets and business records. As I pointed out to Vint some months ago, if the same standards were applied to Worldcom's Bernie the Bandit, Vint could have been in the pokey too, and even his Worldcom pencil sharpener would have a DOJ do not remove under penalty of law seal on it. Eric
On Fri, 30 Sep 2005, Paul Vixie wrote:
# > you must have misread me. see http://fm.vix.com/ today. # # I've read it. Twice now. I'd like some help on what part I've misread ?
"i'm indifferent to their reasons, as long as they don't add any new TLD's..."
I understood that you're indifferent to _their_ reasons. I'm curious about _your_ reasons. Solely to learn and for the stats? I couldn't deduct that from fm.vix.com. Roy
# I understood that you're indifferent to _their_ reasons. I'm curious about # _your_ reasons. Solely to learn and for the stats? I couldn't deduct that # from fm.vix.com. internet governance ain't what it will be. anyone who wants to keep name universality in place as the system evolves, can ask or expect help from me.
In message <20050930203803.73D361145C@sa.vix.com>, Paul Vixie writes:
it's enough for me that they're going to do it no matter what you (or i) say, and that they're doing it responsibly (without any namespace pollution). if ORSN is afraid war is going to break out somewhere and that ICANN might delete the ccTLD's for countries that are part of the "axis of evil", then ORSN is probably just confused -- i don't think that's what would happen. but as i've said, i'm indifferent to their reasons, since they only publish data that was at one time or another published by IANA.
Paul, if we ever get DNSSEC deployed, what will/should OSRN return for dig ns . --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
# Paul, if we ever get DNSSEC deployed, what will/should OSRN return for # # dig ns . # # --Steven M. Bellovin, http://www.cs.columbia.edu/~smb i don't know ORSN's plans. i believe that the standard testbed methodology (and bill manning would be the one to correct me here, if i'm wrong) is to re-sign the zone with a key trusted by your client populations. this would not have been practical in the era before DS RRs, but as things stand, any root zone signed by IANA will be verifiable by testbed operators, who can re-sign the zone, including the DS RRs, and for the resulting population, everything will "just work". note, though, that i'm merely speculating -- it's possible that ORSN would just strip out the DNSKEYs and RRSIGs and DS's, and publish a zone that was free of DNSSEC metadata. i have no idea.
participants (12)
-
Bill Woodcock
-
Dan Hollis
-
David W. Hankins
-
Eric Brunner-Williams at a VSAT somewhere
-
Matt Ghali
-
Paul Vixie
-
Paul Vixie
-
Peter Dambier
-
Roy Arends
-
Sam Hayes Merritt, III
-
Steven M. Bellovin
-
william(at)elan.net