DNSSEC and the issue of signing the root have been hot topics in Internet governance over the past year. Most recently, the IGP co-sponsored workshop at IGF-Rio saw several interested parties (see the workshop writeup) vigorously debating if the root should be signed. Perhaps anticipating that discussion, ICANN released a ccNSO survey of 61 ccTLD operators on DNSSEC just before IGF-Rio. It highlighted that the majority of interviewed operators preferred ICANN/IANA sign the root, but numerous other arrangements were identified as well. In Rio, the CEO of the largest ccTLD argued that deploying DNSSEC at the root entails making a decision about whether to dedicate trust to one or multiple entities. She and a representative of CGI.br openly expressed concern about a single entity controlling such a critical piece of the DNS.
In a promising sign that policy discussions regarding critical internet resources are responding to IGP advocacy and IG Forum discussions, the DNSSEC-Deployment group is now discussing options for distributing root signing authority. This turn in the debate shows that constructive criticism and discussion of DNSSEC governance arrangements can indeed lead to improvements, despite early resistance to even discussing the topic.
In May, IGP released a proposal calling for multiple, but limited number, of non-governmental organizations to be responsible for creating the associated keys and digitally signing the contents of the root. Having multiple organizations generating signatures absolutely requires that they agree on the root zone content prior to signing, otherwise you can end up with resolvers unable to validate signed resource records sets and resolve DNS queries. As noted on the DNSSEC-Deployment list, further study of the interaction in this scenario would be beneficial for everyone.
Another option being suggested is a threshold signature scheme, which is often applied in key escrow situations where two or more agents (l) need to hold parts (i.e., shares) of a key(s). Under these schemes, a minimum number of agents (k) are required in order to digitally sign a piece of data. E.g., k of l root key operators (RKOs) could sign the zone signing key for the root zone file managed by ICANN/IANA. A main benefit of these schemes is that they distribute risk of key compromise. Furthermore, the option exists to have either a single trusted party generate the key material or to have the signing function and key generation done in a distributed manner by the agents (1,2,3,4,5,6,7).
While this technology is accepted and can be applied in a variety of scenarios, it is unclear how such a solution would actually work with the complexity of the DNSSEC protocol. Again, some non-partisan research would go a long way in helping choose the best solution. Once the technical and operational limitations are known, it certainly opens up some interesting game theoretic questions. E.g., in terms of decision making are there optimal numbers for k and l? Who should the RKOs be – governments, private-sector, civil-society – how will they act strategically? What rules should govern their behavior, how do you encourage cooperation and avoid collusion, etc.? But most importantly, we shouldn’t lose sight of the fact that while threshold schemes effectively distribute power, and decrease the risk of key compromise, and can protect the DNS from generation of signed record sets which do not have the minimum shareholder agreement necessary, they still require that those agents agree on what they are signing.
And thus, we are back to the crux of the issue, the ongoing political oversight of the contents of the global root zone file by an agency of a single government. A threshold signatures scheme for root signing would certainly be a step in the right direction. It importantly provides incentives (a central lesson from the growing literature on the economics of information security) for the various shareholders to work together. But there is no magical technical fix to the problem of political oversight; it is purely an Internet public policy question requiring an innovative institutional design solution that includes all stakeholders dependent on the DNS.
5 thoughts on “DNSSEC-Deployment Group Now Discussing Distributed Root Signing”
Your “spin” on this issue constantly amazes me. While the issue IS being discussed, the mail you reference says:
“The coordination for making sure that all of this is up to date would be somewhat horrific. Those signatures would need to be applied EACH time the root is signed.
We can't even get the root signed with one organization – do you really want to try for 2-5?”
The “crux” of the issue for me is the above quote. Why make it a more complex process than it needs to be? Multiple root signers sounds like bad engineering, for the sake of politics!
In the post you refer to, the author is actually making a clear distinction between two totally different applications of digital signing technology. The first is a scenario that involves multiple KSKs used to sign the root ZSK (which the poster is saying would be “somewhat horrific” because of coordination issues, but as noted by the chair of SSAC in another post, this option has never been fully explored). The second is a threshold signature, which could use a single KSK/signature function that is distributed in some fashion among relevant parties (which the poster said is the “appropriate technology” if “you want multiple entities to be responsible for the signatures on the root zone”). An important difference that is easy to overlook.
Doesn't matter if it's multiple keys or multiple orgs signing one key, it's the notion that other folk besides the domain admin have any say in signing the zone that is troublesome.
Geoff Huston has it spot on: http://www.circleid.com/posts/dnssec_once_more_with_feeling/
“Signing the DNS root appears to remain a political question rather than a technical question. For as long as there are folk who equate their unwavering desire to express their interest in the politics of the administration of the DNS with an undeniable conviction that they or others deserve a right of veto in the administration of the root zone of the DNS via their interest in a share of the control of the DNS root key, then this may well remain an intractable political problem. Sigh.”
“Surely the answer to signing the DNS root is one that has been staring us in the face since the start of this entire DNSEC effort. As with all zones, it the role of the zone administrator to generate the keys and sign the zone file. In the case of the root zone of the DNS its back to the IANA to just do the job and let the rest of us move on.”
Either Geoff is being naive or disingenuous. Probably a mix of both. We are approaching the 10th anniversary of the time when IANA became a political football that was de facto taken over by the US government, a time when Jon Postel threatened with jail if he did anything without the permission of the USG. To say that IANA should simply sign the root as a technical function and that there are no political or governance issues is like saying that IANA shold decide which TLDs exist, as it did back in the “good old days.” Appeals to the purely “technical” nature of the function simply don't wash anymore. It isn't us who politicized this, folks. It happened a decade ago, and the stakes have only gotten bigger and hence the issues even more political. The only real way to “de-politicize” the function is to reach agreement on governance arrangements that share power and avoid any possibility of abuse by nation-states, ANY nation-state.
There is at least a third option, besides naivete or disingenousness (neither are adjectives normally used to describe Dr. Huston), and that is that he is correct.
In DNSSEC, zone admins sign their zones. Period. To say that the root is somehow special and needs multiple agents involved in signing delays implementation and may be a show-stopper. We have had too many delays over the course of the last 10 years. Let's just get it done!
Comments are closed.