VeriSign's plan to sign the root

UPDATED 10/3 VeriSign has publicly released its proposal to sign the root. It comes on the heels of ICANN submitting their own (yet to be publicly released) proposal to the NTIA on September 2. In brief, VeriSign's proposal to deploy DNSSEC at the root:

1. Retains the existing root zone editing, authorizing, and publishing roles held by IANA, DoC, and VeriSign, respectively.

2. Integrates the use of an IANA-run TAR to provide registry key material (i.e., DS records) for inclusion in the root zone.

3. Advocates that VeriSign generate the Zone Signing Key (ZSK), sign and publish the root zone.

4. Proposes that the generation of the Key Signing Key (KSK) be distributed among organizations, using a “M of N” key technique, where N is the number of entities that share control of the key, and M is the minimum number of those entities that must agree to any use of the key, (e.g., using it for signing).

5. Proposes, in an attempt to address the political sensitivities surrounding root signing, distributing KSK activity to the root server operators (RSOs).

6. Suggests that RSOs authorize VeriSign's use of that KSK to sign the next year’s entire set of key sets (twelve in all) in advance. The root zone maintainer and signer (currently VeriSign) would store these key sets and use them throughout the year as required.

VeriSign adds a much needed dimension to the root signing debate, introducing a well known threshold cryptographic technique. But the reliance on root server operators needs to be considered carefully. It's true that most of them are a fairly non-controversial, tightly knit group of actors that has the interest of serving up a consistent root globally. But this view of RSOs is partially due to the low profile that root server operators maintain. A more nuanced analysis, which recognizes the political and economic importance of the root zone, could see this as an effort to convince the RSOs to lock in to the institutions and policy making processes which control the content of the DNS root.

It's pretty clear that, in terms of representing the various political and economic interests concerned, the diversity of root server organizations is inadequate. They are geographically concentrated in the United States, with ten of the 13 RSOs being legally located in the United States and subject to its laws and government. Root server operations are also concentrated among limited set of interests. While classifying organizations according to the “multistakeholder” categories being used widely in Internet governance institutions is difficult, it's clear that 10 are private sector non-governmental organizations, 3 are US government agencies, and that there are no CS or intergovernmental organizations involved. Furthermore, the USG has substantial influence and oversight over 6 of the 13 root server operators, either through the fact that they are government agencies, or that the USG maintains a contractual relationship that can impact the organization's behavior (and that isn't counting the RSOs that have research funding from the USG).

Because of these issues, the VeriSign proposed number of RSOs needed to successfully use the root KSK, i.e. 5 root server organizations, is simply too low. The number (M) needs to at least exceed 6, and preferably it needs to exceed the number of organizations legally based in the US (i.e., 10). If there is a desire to keep the number smaller, an alternative would be to increase the geographic and interest diversity of root server organizations. This could be achieved by shifting the legal location of some of the RSOs, or perhaps increasing multi-stakeholder involvement in the activities of root server organizations. A third option could be to use the same “M of N” technique, but to simply tap a different group of organizations entirely.

UPDATE: McTim raises the point of “why is 6 the magic number?” One argument could be that 6 exceeded by 1 the number of RSOs that are very close to the USG and probably most subject to its influence. But I'll agree determining an appropriate threshold needs far more analysis. The numbers chosen in a threshold arrangement (i.e., “M of N”) impact and involve tradeoffs in the integrity, confidentiality, and availability of a protocol. For instance, the higher “M” is the more difficult it is to inadvertently or maliciously reveal information outside of the protocol. However, achieving higher confidentiality decreases the availability of the protocol, i.e., getting all the necessary number of orgs together to complete the protocol. But I’m not so sure we should be focused on the threshold value per se.

McTim also took issue with my quick classification. My main point (poorly conveyed) is while we can quibble all day about classifying RSOs into various multistakeholder buckets, it's really not too helpful. What matters is the independence of the orgs participating. As I said, there is no question that most of the RSOs are legally based in the US, subject to its laws and government. If we believe the DNS is a global infrastructure, and acknowledge that a government might use their ability to influence a communications network to accomplish other policy objectives (and historically they do), then any threshold arrangement should be designed to limit (dare I say, neutralize) this influence. This could be possible if the “N” orgs are based (note I didn’t say they should be governmental) in various countries that represent political-economic power on the Internet, or maybe including an intergovernmental org. I'm not sure solely tapping the RSOs for this role is appropriate.

Finally, McTim asks if “the folk you have in mind would want to foot the bill? Do they have the capacity to be rootops?” First, I don't have anyone specific in mind, I just said using the RSOs needs to be carefully considered. Second, the “Internet community” (including CS, Govts, PS, Tech) should probably be consulted (maybe an ICANN public consultation?) to determine and ask these orgs if they're interested and capable. BTW – I don't think the VeriSign proposal suggests that the KSK “holders” need to be able to run a root. They just participate and provide oversight of key generation. Again, more analysis is needed.

3 comments

  1. Anonymous

    US Department of Commerce stands in the way of DNS Security
    In a move surely to raise eyebrows in the international community the US Department of Commerce, made clear [1] their intention to block efforts to completely secure key data by requiring sensitive keys to be transmitted to a third party before being published in final protected (signed) form. Their motivations, as well as the reasons for the intensity of their remarks, are unclear particularly given the minor nature of the proposed change and ICANN having already provided such functionality [2]. In fact the need for this change was envisioned and agreed to between VeriSign and ICANN some time ago [3]. As noted in [4] Commerce’s effective attempts to gag ICANN to discuss proposals leads one to further questions and concerns about transparency.
    DNSSEC will not only fix recently discovered DNS vulnerabilities but will become a secure platform for many future applications. Maintaining trust from TLD operator to signed root by minimizing any avenues for corruption or error, by protecting (DNSSEC signing) sensitive keys at the point where they are authenticated and validated, ensures the Internet and any new developments will be able to rely on the security of this platform into the distant future. Just because the specifics of the current approach to managing the root have worked for so many years doesn’t mean it couldn’t benefit from a minor change. That’s how we got to where we are now – holding back on changes until serious vulnerabilities are discovered and then trying to quickly secure the decades old DNS protocol. We should take this opportunity to be proactive – not reactive – and insist that the US government let the international community of Internet experts do their best in securing the DNS or – take it elsewhere.
    [1] last para http://www.ntia.doc.gov/comments/2008/ICANN_080730.html
    [2] last para http://www.circleid.com/posts/88183_pressing_need_for_a_signed_root/
    [3] para 2 “Root Server Management Transition Completion Agreement 2006”
    [4] para 3 http://www.icann.org/correspondence/baker-to-twomey-09sep08.pdf

  2. Anonymous

    “The number (M) needs to at least exceed 6”
    Why is 6 the magic number?
    “the diversity of root server organizations is inadequate”
    It's been quite adequate so far, as in the root is served quite well by these RSOs.
    “it's clear that 10 are private sector organizations, 3 are US government agencies, and that there are no CS or intergovernmental organizations involved.”
    First of all, the above is incorrect:
    I count at least 4 (5, really) CS bodies running root-servers (and it's unclear to me WHY any of them NEED to be run by CS groups), but nevertheless, they are:
    “F” Internet Systems Consortium, Inc. (ISC) is a nonprofit 501(c)(3) public benefit corporation dedicated to supporting the infrastructure of the universal connected self-organizing Internet from isc.org www
    K – RIPE NCC – “The RIPE NCC is an independent, not-for-profit membership organisation that supports the infrastructure of the Internet through technical co-ordination in its service region. ” from ripe.net www
    L – ICANN – The Internet Corporation for Assigned Names and Numbers (ICANN) is an internationally organized, non-profit corporation that has responsibility for Internet Protocol (IP) address space allocation, protocol identifier assignment, generic (gTLD) and country code (ccTLD) Top-Level Domain name system management, and root server system management functions.
    M – WIDE Project – The WIDE Project, an industry-government-academia….. working in close cooperation with international organizations such as IETF and ISOC is part of a technology consortium aimed at providing solutions to current issues and standardizing network and Internet related technologies.
    Then there is “I” run by Autonomica/NORDUnet. NORDUnet is the result of the NORDUNET programme (1986 to 1992) financed by the Nordic Council of Ministers. So a non-USG governmental effort, plus Autonomica, run by a Foundation (Stiftelsen för Telematikens utveckling) I count as “I” as CS as well.
    I would say that the Universities are NOT USG agencies OR PS. They both seem to be State Universities run by their Board of Regents. They can't really be classified as PS or USG.
    So, by my count, there are 3 PS:
    A – VeriSign Global Registry Services
    C – Cogent Communications
    J – VeriSign Global Registry Services
    5 CS as above
    2 run by Academia
    B – Information Sciences Institute at USC
    D – University of Maryland
    which leaves 3 run by USG agencies
    E – NASA Ames Research Center
    G – U.S. DOD Network Information Center
    H – U.S. Army Research Lab
    It all seems pretty multi-stakeholder to me. Who would you suggest hold the keys or run these servers? Are you sure the folk you have in mind would want to foot the bill? Do they have the capacity to be rootops so?