Hacker News new | ask | show | jobs
by dane-pgp 1281 days ago
DNSSEC doesn't protect you against the American government if you have a .org domain, but I doubt an American court could give Microsoft control over a domain registered under a ccTLD like .de or .ru or .za for example.

I suspect Microsoft would also have trouble taking control of a domain registered under a gTLD run by a company based outside the US, but it would be interesting to see how the agreements between the gTLDs and ICANN would work out in practice.
2 comments
dcomp 1281 days ago
Technically they could force root nameservers (based in the US) to intercept/proxy the whole gtld.

So all except n (netnod (EU)) and i (WIDE (JP))

link
rosnd 1281 days ago
>So all except n (netnod (EU)) and i (WIDE (JP))

US could just drop the records for those.

link
belorn 1281 days ago
No, the US could not do that and there is multiple reasons for it. The root zone is rather special in that operating system semi-hard code the root servers. The operating system also have full control here and the number of name servers at the root zone changes very slowly. Operating systems developed by people not bound by US courts could just ignore it.

The other reason is political. If they were to cut out eu or asia from the list then the risk of a split would increase massively. It would be suicide. If they did that people might even split internet further by splitting iana (Internet Assigned Numbers Authority), in which case a computer in EU would be unable to communicate with an computer in US, and then the concept of a global internet would no longer exist. A split is a exceedingly dangerous concept.

link
rosnd 1281 days ago
I think the hardcoded IPs are typically only used as hints to initially resolve the root-servers.net domains.
link
belorn 1281 days ago
Hints are used by the bind resolver software. It hard code the A -> M root servers and use those to initialize a cache. Naturally bind developers could change this behavior, and in the case that none of the hints works, the current behavior is to use a static compiled list that the software also include.
link
rosnd 1281 days ago
Not just bind, unbound also. Unbound uses the hardcoded list of IPs to resolve a-m once and build it's cache, the hardcoded IPs are never used again.
link
rosnd 1281 days ago
>DNSSEC doesn't protect you against the American government if you have a .org domain, but I doubt an American court could give Microsoft control over a domain registered under a ccTLD like .de or .ru or .za for example.

What? Obviously they could. ICANN is subject to US law.

link