ICANN ICANN Email List Archives

[pir-dnssec-proposal]


<<< Chronological Index >>>    <<< Thread Index >>>

More information on PIRs Proposed Implementation of DNSSEC

  • To: pir-dnssec-proposal@xxxxxxxxx
  • Subject: More information on PIRs Proposed Implementation of DNSSEC
  • From: "Brenden Kuerbis" <bkuerbis@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Mon, 26 May 2008 11:40:13 -0400

Comments of the Internet Governance Project on Public Internet
Registry (PIR)'s proposed implementation of DNS Security Extensions
(DNSSEC) in the .ORG zone:

May 24, 2008

These comments are in response to to ICANN's request for comment on
PIR's Proposed Implementation of DNSSEC
<http://icann.org/public_comment/#pir-dnssec>.

IGP would like to thank ICANN for providing the opportunity to comment
on this matter.  In general, the IGP supports PIR's proposal to
implement DNSSEC.  However, their proposal raises important issues
surrounding cryptographic key management and coordination with other
parties, which are essential components of successful DNSSEC
deployment.

Cryptographic key management

PIR proposed amended language regarding data escrow of DNSSEC related
data, specifically key material.
<http://icann.org/tlds/agreements/org/proposed-org-amendment-23apr08.pdf>
 In 2006, ICANN revised its registry agreements to require the
escrowing of zone records and key data with a third party. This raised
concern among some in the DNSSEC-Deployment group. Since DNSSEC is
based on the premise that one cannot forge a signed DNS record,
maintaining private key confidentiality is an utmost concern.

PIR's proposed amendment alters the provision to exclude some
DNSSEC-related material necessary to sign the .org zone (i.e., the
private portions of .org zone key-signing keys and zone-signing keys).
 This makes far more sense from a security and control standpoint,
with private key data only controlled by the organization responsible
for the zone, and it should not impact ICANN's ability to protect
registrants in the event of a registry business failure.

PIR's amendment request is another testament to the strength of a
distributed, and not centralized, approach to DNSSEC and should be
approved by ICANN.  Other registries planning to deploy DNSSEC will
likely take note of PIR's request and ICANN's forthcoming reply.

Coordination with other parties

Another critical determinant of success in PIR's bid to secure .ORG
will be uptake by registrars. A short survey performed by PIR seemed
to indicate slight interest among the 48 respondents. Based on their
proposal, it seems PIR will incur relatively small hardware and
software costs to deploy DNSSEC. Registrars may incur the bulk of the
costs associated with providing DNSSEC. Since registrars face
registrants directly, they will have to provide sales and marketing of
DNSSEC and ongoing customer support. If registrars aren't able to
convince registrants of the value of DNSSEC it's hard to see them
making much effort to provide it.

Another observation is the absence of ISPs in the discussion
surrounding DNSSEC adoption by zone operators. If ISPs don't deploy
and utilize validating resolvers then securing zones has limited
usefulness for Internet end users (who likely will not have secure
stub resolvers for some time).  When the Swedish ccTLD .SE launched
its DNSSEC service they had the active cooperation of a large Swedish
ISP.

That those organizations closest to registrants and Internet users are
relatively quiet about their own plans for supporting DNSSEC raises
some doubt about what impact securing .ORG or any other zones will
really have.  However, PIR should be supported in taking the
initiative to secure their portion of the DNS infrastructure.

--
Brenden Kuerbis
Internet Governance Project
http://internetgovernance.org


<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy