Last June IGP reported on efforts to develop a trust anchor repository (TAR) to help bootstrap the deployment of DNSSEC. A TAR would provide a centralized location where top level registries could place public key information pertaining to their zone’s trust anchor. The key information could be accessed by secure resolvers to initiate the validation of signed zone data. The TAR idea had been floated by several actors in lieu of the difficulty of getting DNSSEC deployed at the root.
It seems that the TAR concept continues to gain traction. There’s word on the DNSSEC-Deployment list that IANA plans to publish a file containing TLD trust anchor information in mid-October, as directed by ICANN’s Board of Directors earlier this summer. Apparently the contents of this file will be digitally signed and verifiable with IANA’s extended validation key.
The possibility of an IANA run TAR could be beneficial in numerous ways. It could:
- Provide a single, non-governmental, internet community-trusted location for TLD key material while avoiding another debate about the tripartite root zone management relationship between ICANN, DoC, and VeriSign. Since a TAR has no impact on root zone management, the DoC would have no official oversight of how it is implemented or operated. ICANN could allow TLD registries to store any type of keying information and implement roll-over policies according to their preferences.
- Leave the current root-server arrangement, based on mutual trust between the A root and B-M root operators, intact and not lock in root server operators to the contents of the secured A root zone. This would ensure the opportunity for other parties to deploy coordinated root zones if necessary (e.g., which contain additional IDN TLDs), and provide ICANN incentives to respond to global internet community demands. And somewhat counter-intuitively, it would enhance the network effects associated with the ICANN root.
- Mitigate concerns of other governments concerned that USG oversight of a secured root zone (via it contractual relationships with ICANN and VeriSign) might be leveraged to implement policies driven by the economic, national security, or other concerns of the United States government or special interests.
- Allow time for ICANN and the internet community, if there is continued interest to have a single trust anchor for the DNS, to evaluate root zone signing and oversight arrangements which are acceptable to all governments, the private sector, technical community, and civil society interests.
Framed by ICANN’s ongoing “Improving Institutional Confidence” consultations, and the political difficulty associated with signing the root, deploying a TAR could signal that ICANN is determined to establish its independence from certain aspects of USG oversight. Assuming the TAR becomes widely utilized, the tell-tale sign of ICANN’s desire for continued independence will be what transpires once a critical mass of zones is signed and the pressures to sign the root possibly increase.