Nearly five months after the fact, DHS acknowledged widely last week the release of a draft technical specification for signing and securing the DNS Root Zone. Signing the root is considered a critical step toward the widespread deployment of DNSSEC across the Internet.
The document, prepared for DHS by the DoC's NIST and two defense contractors, was reviewed initially by other USG agencies and then distributed for comment in November 2006 to a group of 30 technical experts in government, academia, and key Internet governance and infrastructure organizations from the US, Sweden, UK, Germany, Netherlands, Japan, Brazil, and Australia. Surprisingly, the document was marked “not for further distribution” yet posted to a publicly available listserv for individuals working on DNSSEC deployment. An unknown number of comments on the specification were received, and have not been made available to the public.
The draft outlines various scenarios for signing the root and for who could be the root key holder, focusing mainly on a single “Root Key Operator,” and suggesting either a governmental agency or a contractor. However, it importantly offers alternatives for having multiple, but a limited number of, Root Key Operators who would each sign the contents of the root zone with their own key. It also mentions, but discounts, a single split key management approach which is required by NIST FIPs 140-2 standards for high security systems. DHS intends to release a second version of the document for public comment later this year. In light of the highly politicized nature of root zone oversight currently exerted by the DoC, and widespread desire to make the Internet more secure, alternatives which distribute root signing authority seem to offer more promise.