As noted by previously by IGP, it is not entirely clear where requirements for DNSSEC in the Draft Applicant Guidebook emerged from within the ongoing consultation.  Public comments to date from several organizations are mostly negative, including China Organizational Name Admininstration Center (CONAC), Uninet Bulgaria, Domain the Net (Israel), DotAfrica, Regtime (Russia), and CORE (Switzerland).  They cite a variety of concerns, ranging from potential conflicts with deploying IDNs, to conflicts with local and national laws, to concerns about data escrowing, and question whether it is appropriate for all registries.  In general, they argue that requiring DNSSEC could prevent new gTLDs.

The proposed registry agreement (clean version) is quite specific when it comes to implemented protocols:

Registry Operator shall implement Domain Name System Security Extensions (“DNSSEC”).  During the Term, Registry Operator shall comply with RFCs 4033, 4034, 4035, 4509 and 4310 and their successors, and follow the best practices described in RFC 4641 and its successors.

RFC4509 stipulates a specific implementation from the RSA/SHA family of hash algorithms to create certain DNSSEC related resource records.  Now this might seem an arcane technical detail, but when examined through the lens of standardization, it reveals the degree to which ICANN policy is being used to influence what standards are implemented, and how that can shape competition in global markets for new gTLDs and cryptographic products.

5 thoughts on “DNSSEC requirement for new gTLDs raises concern outside US

  1. None of the cited articles actually discuss any real objections with pointers to any reference material. They claim some governments are opposed to DNSSEC, but don't provide evidence of that, or at least pointers to said discussion. Because DNSSEC isn't used for confidentiality, merely integrity, it again isn't clear what concerns there are. And, RSA and SHA are both open standards and unencumbered globally, except where state regulations may govern their use (Russia) and those exception cases are being dealt with. Am I missing something else other than essentially unspecified unsubstantiated fears? I'd love pointers to more real data than is contained in the comment pieces you link to.

  2. I agree with Andy here – what are the exact objections? The only real reason for making objections on the DNSSEC requirement is that it is making deployment a little bit more expensive and requires some technical skill.
    If these are the real objections you could argue that running a TLD is not really a cheap business and that it might require a higher price for the domains. You can also argue that a TLD operator should have a certain level of technical skill…

  3. I've invited the organizations that submitted comments here to clarify their objections.

  4. Hey, come on, DNSSEC has no presumption of overall benefit to TLD stakeholders/clients!
    The messages on the ICANN consultation records are objections to DNSSEC being mandatory for new gTLD operators, they need not overcome any presumption of validity for DNSSEC.
    I can't speak for them, but I guess I can read. From their perspective, mandatory DNSSEC highlights the “historical role” of the USG in DNS management. It's an easy excuse, but do they need any other one at this point in time?
    Another comment asked “Why new entrants and not the existing ones?”
    Then what? The technical community certainly didn't specify an entry-level, least cost, DNSSEC implementation. If you figure it out, and you should predict a spoiled DNSSEC deployment (i.e. interoperability compliant but not trustworthy). This is a very bad ICANN move to turn voluntary compliance to an incompletely specified IT security scheme into a mandatory one. (The authors of comments need not delve into this analysis, which is mine.)

  5. DNSSEC Militia
    * Alan Barrett: RFC 4033
    * Alexander Mayrhofer
    * Alfred Hoenes
    * Allison Mankin
    * Andrew Sullivan
    * Andris Kalnozols: RFC 4033
    * Ben Laurie: RFC 4033
    * Bernie Hoeneisen
    * Bill Manning: RFC 4033
    * Bob Halley: : RFC 4033
    * Brian Wellington: RFC 4033
    * Cary Karp
    * Charlie Kaufman
    * Christian Huitema: RFC 4033
    * Dan Bernstein: RFC 4033
    * Dan Massey
    * Dave Crocker
    * David Blacka: RFC 4033
    * David Conrad: RFC 4033
    * David Lawrence: RFC 4033
    * David Smith
    * Derek Atkins: RFC 4033
    * Donald Eastlake: RFC 4033
    * Doug Maughan
    * Doug Montgomery
    * Ed Lewis: RFC 4033
    * Eric Osterweil
    * Erik Nordmark
    * Erik Rozendaal
    * Francis Dupont
    * Geoffrey Sisson
    * Gilles Guette
    * Greg Hudson
    * Hakan Olsson
    * Hilarie Orman
    * Holger Zuleger
    * Howard Eland
    * Jaap Akerhuis
    * Jakob Schlyter: RFC 4033
    * James Gould
    * James M. Galvin
    * Jeffrey I. Schiller
    * Jelte Jansen: RFC 4033
    * Jim Reid: RFC 4033
    * Joe Abley
    * Johan Ihren: RFC 4033
    * John Crain
    * John Gilmore
    * Josh Littlefield: RFC 4033
    * Jun-ichiro Itojun Hagino: RFC 4033
    * Kevin Meynell
    * Klaus Malorny
    * Lars-Johan Liman
    * Len Budney
    * Lixia Zhang
    * Mans Nilsson
    * Marcos Sanz: RFC 4033
    * Matt Larson
    * Mark Andrews: RFC 4033
    * Mark Kosters: RFC 4033
    * Martin Fredriksson
    * Masataka Ohta
    * Michael Graff
    * Michael Richardson: RFC 4033
    * Miek Gieben: RFC 4033
    * Mike Patton: RFC 4033
    * Mike StJohns??
    * Neil O'Reilly
    * Olaf Kolkman: RFC 4033
    * Olafur Gudmundsson
    * Olivier Courtay
    * Patrick Mevzek
    * Patrik Fältström
    * Paul Mockapetris
    * Paul Vixie
    * Paul Wouters
    * Pekka Savola
    * Peter Koch
    * Phillip Hallam-Baker
    * Phil Regnauld
    * Radia J. Perlman
    * Randy Bush: RFC 4033
    * Rick van Rein
    * Rip Loomis
    * Rob Austein
    * Robert Elz
    * Rob Payne
    * Roy Arends
    * Roy Badami
    * Russ Housley
    * Russ Mundy
    * Sam Weiler
    * Scott Hollenbeck
    * Scott Rose
    * Simon Josefsson
    * Srikanth Veeramachaneni
    * Stephen Jacob
    * Steve Bellovin
    * Steve Crocker
    * Steven (Xunhua) Wang
    * Stuart E. Schechter
    * Suresh Krishnaswamy
    * Suzanne Woolf
    * Ted Hardie
    * Ted Lemon
    * Ted Lindgreen
    * Thomas Narten
    * Tim McGinnis??
    * Vasily Dolmatov
    * Walter Howard
    * Wes Hardaker
    * Wouter Wijngaards

Comments are closed.