.ORG pushes forward with DNSSEC

In early April, Public Interest Registry (PIR) submitted a service proposal announcing its intention to begin offering secure DNS extensions in the 4th quarter of 2008, and seeking to amend its registry contract with ICANN. If approved by ICANN, .ORG would likely be the Internet’s first secure production gTLD zone. One interesting wrinkle is PIR's proposed language regarding data escrow of DNSSEC related data, specifically key material. In 2006, ICANN revised its registry agreements to require the escrowing of zone records and key data with a third party. This immediately raised concern among some in the DNSSEC-Deployment group. Since DNSSEC is based on the premise that one cannot forge a signed DNS record, maintaining private key confidentiality is an utmost concern.

PIR's proposed amendment alters the provision to exclude some DNSSEC-related material necessary to sign the .org zone (i.e., the private portions of .org zone key-signing keys and zone-signing keys). This makes far more sense from a security and control standpoint, with private key data only controlled by the organization responsible for the zone, and it should not impact ICANN's ability to protect registrants in the event of a registry business failure. PIR's request is another testament to the strength of a distributed, and not centralized, approach to DNSSEC. Other registries planning to deploy DNSSEC will likely take note of PIR’s request and ICANN's forthcoming reply.

Another critical determinant of success in its bid to secure .ORG will be uptake by registrars. A simple survey done by PIR seemed to indicate some interest among the 48 respondents. Uncertainty surrounding whether registrants will actually want secured domains could be the lynchpin in the whole adoption process. Based on their proposal, it seems PIR will incur relatively small hardware and software costs to deploy DNSSEC. Registrars may incur the bulk of the costs associated with providing DNSSEC. Since registrars face the customer directly, they will have to provide sales and marketing of DNSSEC and ongoing customer support. If registrars aren't able to convince registrants of the value of DNSSEC it's hard to see them making much effort to provide it. The other wildcard is the absence of ISPs in this discussion. If ISPs don't deploy secure resolvers then having secure zones is rather pointless for end users (who likely will not have secure stub resolvers for some time). When the Swedish ccTLD .SE launched its DNSSEC service they had the active cooperation of a large Swedish ISP. The fact that those organizations closest to registrants and Internet users are relatively quiet about their own plans for supporting DNSSEC raises some doubt about what impact securing .ORG or any other zones will really have.

PIR’s proposal has been submitted to ICANN’s Registry Services Technical Evaluation Panel (RSTEP) process for further scrutiny. RSTEP has 45 calendar days to prepare a written report regarding the proposed service’s effect on security or stability, which will be posted for public comment and provided to the ICANN Board. Comments on the PIR proposal and amendment can be submitted to pir-dnssec-proposal@icann.org until 23:59 UTC 24 May 2008.

Comments are closed.