I've never looked into the GNU name system in any detail, but it does seem to afford a reasonable degree of flexibility by allowing you to publish trust relationships and then delegate to different zones. If I'm interpreting things correctly, I can imagine people generally delegating names in their zone to ICANN in order to have something similar to existing DNS and its robust management, but additionally delegate to other entities for improved censorship resistance. For instance, dissidents could delegate to some private zone that likely offers fewer guarantees. Clients would need to be configurable and perform queries in some priority ordering.
Under this scenario, the ICANN zone could just refuse to publish an entry generated by a key that is deemed invalid (e.g., key is hacked, original private key lost, so revocation cannot by issued but authenticity verified in real life), so you'd probably end up in some situation where government blessed sources are canonical, but there's a reasonable fallback when official sources are not trusted. When these sources aren't trusted users would have to decide for themselves or do independent verification, which seems sensible to me.
I'd like to be able to have some indication that some private non-government controlled "root" zone and the canonical zone diverged so that I can then see if this is something I need to worry about.
Realistically, many buying a domain on something like godaddy would probably have their key managed by godaddy or perhaps tied to their credit card issuer, but more technical people would have the option of safeguarding their own keys.
There are other downsides to this approach in that a DHT is going to have different failure modes and scalability issues than DNS, but at least the obvious ones that occur to me are probably mostly solvable.
Under this scenario, the ICANN zone could just refuse to publish an entry generated by a key that is deemed invalid (e.g., key is hacked, original private key lost, so revocation cannot by issued but authenticity verified in real life), so you'd probably end up in some situation where government blessed sources are canonical, but there's a reasonable fallback when official sources are not trusted. When these sources aren't trusted users would have to decide for themselves or do independent verification, which seems sensible to me.
I'd like to be able to have some indication that some private non-government controlled "root" zone and the canonical zone diverged so that I can then see if this is something I need to worry about.
Realistically, many buying a domain on something like godaddy would probably have their key managed by godaddy or perhaps tied to their credit card issuer, but more technical people would have the option of safeguarding their own keys.
There are other downsides to this approach in that a DHT is going to have different failure modes and scalability issues than DNS, but at least the obvious ones that occur to me are probably mostly solvable.