DNSSEC and the issue of signing the root have been hot topics in Internet governance over the past year. Most recently, the IGP co-sponsored workshop at IGF-Rio saw several interested parties (see the workshop writeup) vigorously debating if the root should be signed. Perhaps anticipating that discussion, ICANN released a ccNSO survey of 61 ccTLD operators on DNSSEC just before IGF-Rio. It highlighted that the majority of interviewed operators preferred ICANN/IANA sign the root, but numerous other arrangements were identified as well. In Rio, the CEO of the largest ccTLD argued that deploying DNSSEC at the root entails making a decision about whether to dedicate trust to one or multiple entities. She and a representative of CGI.br openly expressed concern about a single entity controlling such a critical piece of the DNS.
In a promising sign that policy discussions regarding critical internet resources are responding to IGP advocacy and IG Forum discussions, the DNSSEC-Deployment group is now discussing options for distributing root signing authority. This turn in the debate shows that constructive criticism and discussion of DNSSEC governance arrangements can indeed lead to improvements, despite early resistance to even discussing the topic.
In May, IGP released a proposal calling for multiple, but limited number, of non-governmental organizations to be responsible for creating the associated keys and digitally signing the contents of the root. Having multiple organizations generating signatures absolutely requires that they agree on the root zone content prior to signing, otherwise you can end up with resolvers unable to validate signed resource records sets and resolve DNS queries. As noted on the DNSSEC-Deployment list, further study of the interaction in this scenario would be beneficial for everyone.
Another option being suggested is a threshold signature scheme, which is often applied in key escrow situations where two or more agents (l) need to hold parts (i.e., shares) of a key(s). Under these schemes, a minimum number of agents (k) are required in order to digitally sign a piece of data. E.g., k of l root key operators (RKOs) could sign the zone signing key for the root zone file managed by ICANN/IANA. A main benefit of these schemes is that they distribute risk of key compromise. Furthermore, the option exists to have either a single trusted party generate the key material or to have the signing function and key generation done in a distributed manner by the agents (1,2,3,4,5,6,7).
While this technology is accepted and can be applied in a variety of scenarios, it is unclear how such a solution would actually work with the complexity of the DNSSEC protocol. Again, some non-partisan research would go a long way in helping choose the best solution. Once the technical and operational limitations are known, it certainly opens up some interesting game theoretic questions. E.g., in terms of decision making are there optimal numbers for k and l? Who should the RKOs be – governments, private-sector, civil-society – how will they act strategically? What rules should govern their behavior, how do you encourage cooperation and avoid collusion, etc.? But most importantly, we shouldn’t lose sight of the fact that while threshold schemes effectively distribute power, and decrease the risk of key compromise, and can protect the DNS from generation of signed record sets which do not have the minimum shareholder agreement necessary, they still require that those agents agree on what they are signing.
And thus, we are back to the crux of the issue, the ongoing political oversight of the contents of the global root zone file by an agency of a single government. A threshold signatures scheme for root signing would certainly be a step in the right direction. It importantly provides incentives (a central lesson from the growing literature on the economics of information security) for the various shareholders to work together. But there is no magical technical fix to the problem of political oversight; it is purely an Internet public policy question requiring an innovative institutional design solution that includes all stakeholders dependent on the DNS.