Over the last few months much has been made of the digitally signing the root as a critical step in widely deploying DNSSEC. At the May Symposium on Internet Governance and Security, one panelist wondered aloud if ICANN/IANA would ever sign the root like they agreed to do in 2006. Similarly, RIPE's recent letter urged ICANN/IANA publicly to act, lest RIPE go ahead and create its own trust anchor repository as one large European ISP suggested. And finally, the FIPS requirement to deploy DNSSEC technology within medium and high impact federal IT systems is bearing down, with the effort taking on a new sense of urgency with the launch of the NIST/SPARTA/DHS SNIP testbed early this month.
Well, it now seems that some of the pressure has started to work. At the informal IEPG gathering prior to the 69th IETF being held in Chicago this week, an IANA representative explained some technical specs and operational details behind its recent deployment of a DNSSEC testbed that includes a signed root zone. From the limited minutes available, a few paraphrased highlights:
IANA is generating new zone signing keys (ZSK) monthly, using a script based upon Public-Key Cryptography Standards #11 as published by RSA. IANA maintains it is committed to make the sources of the system public. IANA's approach is to generate 3 overlapping ZSKs, one of which is “active” at any point and used to sign the root zone. The ZSKs are signed using one of 2 overlapping key signing keys (KSK), both of which sign the bundle of 3 ZSKs. In the event of emergency rollover, IANA relies upon a scripted procedure that migrates from the compromised key to the new, already “socialized” key. A status page for the testbed is available.
Based on this scant information, it does appear IANA is trying to move the ball forward on signing the root. However, the critical DNSSEC policy issue of who controls the root keys is still unresolved. It appears that control of both ZSKs and the KSKs (aka the “keys to the Internet kingdom“) will reside with a USG contractor, just as suggested in the DHS sponsored root signing technical specification. This is sure to raise an eyebrow of some ccTLD and root server operators and others who see DNSSEC as just one more way of solidifying the dominance of the ICANN/IANA root, and with it USG political oversight.
The above approach also goes against a basic tenant of Internet architecture of diversifying critical infrastructure in order to improve security and reliability (e.g., similar to how anycast technology diversifies some of the Internet's root servers). Maintaining all root zone signing activity with one root key operator (RKO) (as opposed to the IGP proposal of spreading it across a few non-governmental RKOs) seemingly violates this tenant, and certainly increases the probability that ICANN/IANA would be liable should it falter in performing it's DNSSEC related duties. Of course, this assumes that ICANN/IANA is willing to offer some level of reliability for signed DNS responses it provides. And if they're not, it's unclear why any other organization would be willing to stick it's neck out to provide DNSSEC based services dependent on the ICANN/IANA trust anchor.
It seems clear that the IANA technical staff is merely making tests for going through a steep learning curve for anyone involved in DNSSEC deployment.
I doubt that these tests could be an indication of any direction with respect to the policy issues surrounding the DNS root KSK control.
– Thierry Moreau
Sure. But if it's a testbed, then why not test a couple different procedures for managing the KSK and signing the root? Why this single approach? Unless its been predetermined without broad discussion among those impacted.