ICANN's DNSSEC root signing proposal d.o.a.?

What is technical and what is political? Some of you may recall various members of the technical community scolding us about how implementation of DNSSEC at the root was a “purely technical issue” and that the world should ignore the governance questions and just “get on with it.” This plea of urgency gained steam this summer during the Kaminsky attack episode, with some blaming the Department of Commerce as the “show-stopper.” What some technical experts failed to recognize was the underlying power struggle involving ICANN, the U.S. Commerce Department and VeriSign over the arcane business of how the root zone of the DNS might be signed, an important step in the implementation of DNSSEC. And more importantly, how the US Government is making sure this process unfolds in a way that keeps it in control of the root.

Earlier this week, we briefly mentioned ICANN's root signing proposal which was announced in a correspondence to NTIA on Sep 2 and acknowledged by the Department on Sep 9. The ICANN proposal was developed by its staff; with input from a select group of ICANN board members and liaisons, as well as a handful of external technical reviewers. ICANN's correspondence did not contain many details. But critically, it stated that the proposal recognized that “ICANN, VeriSign and the NTIA all have an ongoing role in producing and distributing the signed root zone” and suggested “modifications to the current roles.” The language suggested that ICANN was proposing to edit, create, and sign the contents of the root itself, as it has talked about previously and been doing successfully in its test bed environment now for over a year. But it’s impossible to confirm – because the proposal has yet to be released publicly.

The suggestion of altering the root zone management roles is obviously a sticking point with the U.S. Commerce Department. In August, responding to the ongoing President’s Strategy Committee (PSC) call to implement the Root Server Management Transition Agreement, DoC felt it “important to clarify that we are not in discussions with either party to change the respective roles of the Department, ICANN or VeriSign regarding the management of the authoritative root zone file, nor do we have any plans to undertake such discussions.” NTIA seemingly extended to ICANN this moratorium on discussions concerning root signing. In replying to them about their proposal, NTIA said it considered the proposal “to have been submitted as a proposed modification to the IANA functions contract,” saying it would “materially change the established methods for performing the IANA functions.” Because of this, it refused ICANN's request to engage in public consultations about its root signing proposal. Instead, there are indications NTIA will begin its own public consultation soon.

It's hard to understand why ICANN has not released its proposal for review by the Internet community — unless, perhaps, the US Commerce Department told them not to. Given the global impact of deploying DNSSEC at the root, which would constitute a fundamental change to the DNS, it would be extremely helpful to evaluate a broad selection of proposals from all parties. To date, IANA has been perfectly clear that it supports a transparent root signing process. IANA staff have done public presentations about their test-bed, sharing fairly detailed technical and procedural information with the technical community.

Another party seemingly concerned about ICANN's attempt to discuss altering the root zone management roles is VeriSign. Much like their announcement of a competing DNSSEC root signing test-bed at Dehli in March, the release of their root signing proposal this week caught some off guard. It's not entirely clear why VeriSign is so interested in retaining its role as signer and publisher of the A root. There appears to be potential risk involved (apparent from the thoroughness of their own root signing proposal) and no obvious economic upside for them. It makes even less sense when you consider they retain any economic benefits associated with running a root server because they run the J root as well. Between VeriSign's actions and NTIA's pressure on ICANN to bury their proposal, its hard not to believe that maintaining USG control is the main driving force in deploying DNSSEC at the root.