IGP has spent a lot of time trying to get people to appreciate the massive global governance issues caused by adding security to the Internet's core infrastructure. We just didn't expect them to become this obvious so quickly. Case in point: various technical lists are abuzz with news that Cisco, the world's largest router manufacturer, is discussing the possibility of making every one of its products do DNSSEC validation by default:
That may just sound like a new product feature, but wait: Cisco is seriously considering using the DNS itself, and ICANN specifically, to help manage the security of these devices. After reviewing the options in a post to an IETF discussion group on DNS security, John Bashinski, an individual Cisco employee, concluded that
But what will be the default trust root used by these millions of products? Think of that old Linksys router gathering dust in your closet. How will it initiate DNSSEC validation after being offline for some period? Maybe Cisco's private or the existing “public” X.509 PKI? Bashinski's “preferred answer” is interesting:
Get IANA and the root
zone [i.e., ICANN] to provide some kind of service for getting [products] up to date starting from old trust roots. This is our preferred answer…
Bashinski provides a list of reasons for why outsourcing to ICANN might make sense (e.g., familiarity, transparency, longevity) – and he is also adamant that nothing is decided yet, not by Cisco or by anyone else. But for better or worse, what we're talking about here is making ICANN the default “phone home” start-up point for a very large slice of the world's networking equipment. While arguments over the technical virtues continue, this discussion clearly illustrates the tendency to rely ever more heavily on ICANN for critical public governance functions, simply because it's already there.