As ICANN opened its 30th meeting in Los Angeles on Monday, the .uk registry Nominet released a short position paper on DNSSEC — and focused on the issue of signing the root zone. Intentionally or not, Nominet's paper validates IGP's long-held contention that there are major public policy issues around DNSSEC. In it they highlight the need for a single trust anchor and warn against alternative solutions. They emphasize the need for the keys to be managed by ICANN/IANA and used by the root zone maintainer to sign the root, and, most importantly, the necessity of opening up root management through “enhanced cooperation.”
Like many other organizations (e.g., RIPE), Nominet wants a single trust anchor. Furthermore, they believe it should reside in the same point of the DNS hierarchy as the single authoritative list of TLDs (i.e., the root zone file under DOC/ICANN control). In their words, “anything else would be splitting the root” and would hinder DNSSEC adoption. Their request appears to be a response to two risks: one is that alternative trust anchor schemes might be adopted first, especially DNS Lookaside Validation (DLV) which ISC has currently implemented and is pushing. The other is the threat that the self signing of zones by early adopter registries like .se and .br will become widespread.
Nominet suggests that creating and maintaining of root zone KSKs and ZSKs reside with the IANA function of ICANN. IANA would then distribute the public portions of the KSKs and the public and private portions of the ZSKs to an unspecified root zone maintainer (RZM) for use in signing the root zone file. The paper stipulates that the RZM would actually sign the root zone file, “following agreed algorithms,” and publish the public portions of the KSK and ZSK. Nominet does “not believe there is any role for a third party in this process.” But strangely, Nominet continues on to say that their “proposal would not alter (or strengthen) the role currently undertaken by the US Government” who is clearly a third party in the process and makes the final call on what resource records go in the root zone file.
In granting the actual signing function to an unspecified RZM, Nominet recognizes the power of that role. The caveat about “agreed algorithms” is something that has had little attention paid to it but is incredibly important. Without means for agreement, only the RZM would have its hand on the knob that determines the difficulty of breaking digital signatures associated with root zone file data. One can easily see how TLD operators might be concerned about a US-based private sector communications company fulfilling this role, especially given the recent history between US national security interests and telecom companies and VeriSign's well-known close ties to the USG. If the RZM continues to be VeriSign, inquiring minds would certainly want to know, what/who would guide VeriSign's decision in algorithm selection, and how could this impact the security of DNSSEC-enabled TLD zones? To whom would VeriSign be accountable?
Most importantly though, Nominet argues that “mechanisms incorporated into the Tunis Agenda, such as the process towards enhanced cooperation, together with ongoing discussions within the Internet Governance Forum, should incorporate the expanded root management function, including DNSSEC signing.” Essentially, Nominet seems to be arguing unsurprisingly that decisions about implementing technologies at the root of the global Internet require broad discussion among those affected and expanded oversight. No single government or organization should be in charge of critical global infrastructure.
So, how exactly is “enhanced cooperation” occurring now? Unfortunately, there was a not so positive sign at this week's ICANN meeting. Tuesday there was a closed session on DNSSEC for members of the Governmental Advisory Group (GAC). Some ccTLD operators were invited as well, but apparently no civil society actors. According to the chair of ICANN's Security and Stability Committee and a DNSSEC Deployment Initiative group member, the GAC has asked for a briefing on DNSSEC “starting with what it is and why it's important.” The agenda is supposed to be an overview of DNSSEC, the IANA implementation, and a discussion of signing the root. The individual was hoping to “focus [the discussion] on the technical role signing the root plays” while trying “to finesse the political aspects.”