Today, IGP launches a month-long series of blog entries on DNS security, focusing specifically on the problem of cryptographically signing the DNS root zone. We will explore some of the hidden and not-so-hidden political implications of this technical change. We will show how DNSSEC implementation, if handled properly, creates an opportunity to overcome some of the thorny global governance issues associated with the current root zone file management procedure. These postings — hopefully with the aid of your comments — will evolve into a new position paper on the politics and economics of DNSSEC to be released in May. The ideas will be discussed at the Symposium on “Internet Governance and Security: Exploring Global and National Solutions,” in Washington, DC, May 17, 2007. One panel, focused on DNSSEC, will feature speakers from IGP, the U.S. National Institute for Standards and Technology (NIST), VeriSign, ICANN/IANA, ISC, and IETF, with commentary by Becky Burr, a lawyer at Wilmer Hale and former Commerce Department official who specializes in DNS law.
Next up: Introduction
OK, I'll do my housekeeping duty this morning, and feed Brenden's blog.
About root transition from Verisign to ICANN. Reading tea leaves from the many empty cups on the table.
Root transition is a shift of control for the root zone file editing function from Verisign to direct ICANN control. Seen from IETF/IAB, it's IANA's mandate, not ICANN's. But that's a different story, I guess.
In the .com agreement, there are provisions for root transition, where USG/NTIA keeps an eye on things, as usual. I personally wonder why ccTLD managers were so upset about the implicit USG/NTIA intent to keep an eye on DNSSEC: there is nothing new, DNSSEC just makes USG/NTIA more visible. It's just like any other correct use of cryptographic techniques in IT operations: DNSSEC forces more discipline and reduces the room for inconsistencies in procedures. Maybe there was an inconsistency between the perceived vs actual role of USG/NTIA.
Root transition and DNSSEC support at the root, so far so good. But in which sequence?
I prefer “DNSSEC support at the root” to “root zone signature” because the latter appears to ignore root trust anchor management and secure delegations to TLD zones.
The root transition agreement looks like an “agreement to agree,” which you and I shouldn't do, but seems OK for Verisign and its partners. Anyway, it suggests that Verisign collaborates to the introduction of DNSSEC support at the root. Well, I had, and still have, a naive question: what is the Verisign incentive for DNSSEC deployment at the root if there is no mechanism for differentiated pricing in the .com registry for secure delegations?
I asked the question in the context of competition issues with the .com agreement. An answer to my naive question came from a USG/DoJ analyst who voluntarily asserted that “Verisign will do what the USG/NTIA will tell them to do.” Take this answer as you see fit. It sounded familiar to me, and after all “The King can do no wrong” as we are told North of the border where we didn't break the ties of monarchy.
s/The King/We, the People/
Back to my housekeeping duty. I have to report that root transition is under way. According to the latest ICANN operating plan, IANA intends to “Complete the implementation of automated root zone management tools begun through relationship with NASK and use of mutually developed code and procedures.” Congratulations to those involved.
Furthermore, DNSSEC support by IANA is in the plans for .arpa and .int TLD zones (.arpa is “infrastructure TLD” and .int is between a ccTLD and a true gTLD and is under the direct control of ICANN and/or IANA). But DNSSEC support at the root was dropped from previous revisions of ICANN operating plans.
In summary, according to my reading of tea leaves, there is momentum for the root transition to IANA, and the DNSSEC technical challenges are addressed within IANA. However, the DNSSEC support at the root is not yet in the IANA's work basket. It may come later, e.g. when the root transition to ICANN is complete.
In my personal opinion, it would be a good thing that Verisign is removed from the loop when times comes to sign the root, e.g. to reduce the number of players in a thorny issue. I feel more comfortable to state this opinion these days when Verisign, as a publicly held company, failed to prepare its annual report within the required time limits. Perhaps the US culture is imprinted in the Internet institutions in unexpected ways!
Regards,
– Thierry Moreau