Two US Government contractors and the National Institute of Science and Technology have released a white paper, “Statement of Needed Internet Capability,” detailing possible alternatives and considerations for a Trust Anchor Repository (TAR) to support DNSSEC deployment. The document was released through the DNSSEC-Deployment Group this week with a request that it be circulated as widely as possible to gather feedback.
A Trust Anchor Repository (TAR) refers to the concept of a DNS resource record store that contains secure entry point keys (i.e., trust anchors) for one or more zones. It provides the means for a DNS validating resolver to fetch Trust Anchor information for a number of zones in some reliable manner without having to manage this information locally. The stated impetus for a TAR effort is the fact that DNSSEC is being deployed in an ad-hoc manner, and there remain numerous “islands of trust” (e.g., .SE) in the largely unsecured DNS. In a perfect technical world, all zones would be signed, but today many important zones (e.g., .COM, the root zone) remain unsigned for various economic or political reasons. The TAR option has been pushed along by a variety of actors interested in getting DNSSEC deployed widely. For instance, ISC has offered its DLV effort as a bootstrapping mechanism, the SecSpider and IKS Jena Surveys are other options, and RIPE submitted its own TAR proposal to ICANN following unsuccessful attempts to pressure them to sign the root. And given the authorship of the paper, it now seems that certain USG agencies are interested in the TAR option too.
The document does an admirable job of laying out architectural, operational and organizational considerations. It defines types of TARs, including Global TARs to support DNSSEC deployment in the global Internet; and “Communities of Interest” (COI) TARs to support subsets of zones that may exist in government, military, and other “stand-alone (tactical)” networks. Importantly, the document highlights policy choices that would have to be made. However, it does seem to presume one policy choice – a TAR, if implemented, should be limited “to that of a deployment aid instead of assigning it a permanent role in the DNSSEC fabric.” Specifically, the paper notes (Section 4.3) that the alternatives for ceasing operation of a Global TAR could be 1) when a certain number of zones are signed, or 2) when all certain “major” zones are signed. However, the paper also offers the caveat that “it is more useful to base the TAR’s lifetime on the level of benefit it provides to the community at any given point in time.”
These seemingly conflicting positions raise interesting questions – Why is it necessary to limit a Global TAR's purpose to that of a deployment aid? Let’s optimistically assume that a Global TAR successfully overcomes the architectural, operational and organizational hurdles, is implemented and proves to be successful in facilitating widespread DNSSEC deployment. Why wouldn't a Global TAR also be on the table to become a more permanent part of the “DNSSEC fabric”?
The obvious answer is that it’s more difficult to manage, especially without a technique implemented for automated rollover of SEPs (e.g., RFC5011). If a “major” portion of the DNS tree was signed, then it would be simpler for the global Internet to just use the root zone’s trust anchor to initiate validation of zone data. However, a more nuanced answer involves politics. IANA has been having discussions with the U.S. Department of Commerce (DoC) regarding a Global TAR proposal, which ICANN has approved. IANA plans to introduce the proposal at the upcoming ICANN meeting in Paris. In last month’s DNSSEC-Deployment Group conference call, IANA’s General Operations Manager shared the discussions IANA has had with DoC concerning an IANA-run Global TAR. The discussions made two things clear. First, since a Global TAR in no way interacts with the root zone publishing process, the DoC would not have any oversight of how IANA managed it. Second, there was concern that a Global TAR could become permanent (a concern shared by those in the technical community who do not believe there are any political issues involved with DNSSEC), and because of this, any TAR should be “turned off” 60 days after the TLD DS records are added to the root zone.
A “Separate System Policy” for the secure DNS?
One needs to look at the history of other global communications networks to gain an appreciation for why DoC might strangely (they’re supposed to be in favor of liberalization, promoting competition, right?) insist that IANA’s Global TAR be turned off once the root is signed. History has shown repeatedly how national security interests drive governments to influence the development of global communications networks. However, these concerns often have to co-exist with economic or other interests. The result is often a policy compromise that satisfies all the government’s interests. Examples include Great Britain’s policy to build a global submarine cable network during the cable boom in the early 1900s that was invulnerable to attack or interference but could simultaneously be used to conduct surveillance or interrupt the service of its enemies, or the USG’s satellite “separate system policy” (SSP) in the 1980s that permitted alternative carriers to compete with Intelsat, but prevented them from carrying public switched telephone traffic, thereby preserving the ability of the State and Defense Departments to monitor overseas voice traffic while opening the door to the commercial interests supported by the Commerce Department and Federal Communications Commission.
Between the white paper and IANA-DoC discussions one sees evidence of a similar compromise – one that simultaneously supports the national security needs of the U.S. Defense Department (DoD) and the promotion of US economic interests and a “stable and secure” Internet by DoC. The paper suggests that the DoD and other “tactical networks” will utilize stand-alone “Community of Interest” TARs to initiate validation of DNS zone information, while the public Internet will utilize a Global TAR (likely operated by IANA given the trust they hold in the Internet technical community). Reading between the lines and buttressed by the discussions between IANA and DoC, it is further suggested that upon signing the root, the Global TAR will be retired. Couple this with the efficiency gains of using a single root trust anchor, and the network externalities associated with the DNS root and it is all but certain the global public Internet would then migrate to the DNS root trust anchor.
If the policy prescription holds,
1. A temporary Global TAR will be initiated by IANA, probably triggering more widespread deployment of DNSSEC in the DNS tree.
2. DoD will maintain a separate, likely out-of-band COI-TAR independent of any other sovereign or organizational control, which it can use to support validation of zone data served by its authoritative name servers.
3. Eventually, a large portion of the global Internet will shift to the DNS root trust anchor (which the USG intends to continue to oversee) to support secure DNS resolution, further entrenching US economic and national security interests in the current DNS structure.
In retrospect, it may make sense for other governments and non-U.S. actors to contemplate the caveat offered in the paper, that “it is more useful to base the TAR’s lifetime on the level of benefit it provides to the community at any given point in time,” and apply the logic to IANA’s or any other Global TAR that might emerge.