Call for Support: RIPE response to the US NTIA's NoI
Patrik Fältström patrik at frobbit.se
Mon Nov 17 22:19:18 CET 2008
Disclaimer: I was one of the persons working on the text.
That said, I still want to explicitly say that I fully support the
final outcome of the work done in the DNS wg.
Patrik
On 14 nov 2008, at 16.59, Peter Koch wrote:
> Dear RIPE Community,
>
> as mentioned in my email sent on Monday, the DNS working group has
> come
> up with a response to the US NTIA's Notice of Inquiry (NoI) regarding
> the introduction of DNSSEC for the DNS root zone (for details see
> <http://www.ntia.doc.gov/DNS/DNSSEC.html>).
>
> The text below reflects the consensus of the DNS working group.
>
> As a follow up to our earlier efforts (see below), the DNS WG
> suggests that
> the response to the NTIA come from the broader RIPE community. So,
> this is
> the DNS WG's request for your support and endorsement of the proposal.
>
> Please read the text and voice your support or opposition. As
> mentioned
> earlier, we will have to meet an external deadline. Therefore, we
> are not
> looking for editorial suggestions. Regrettably, it is impractical
> to further
> refine or reword the text, since that would require more editing
> cycles and
> new consensus calls, which time won't permit.
> The WG chairs' collective and the RIPE Chair have agreed that it needs
> a binary decision on the proposal as presented here.
>
> It is possible that the text doesn't represent the optimum for
> everyone.
> Still, please consider whether you can support it as a community
> statement.
> In any case, the NoI is open for anybody, so you might want to send
> your individual response and/or contribute to other group efforts,
> as well.
>
> Clarifying questions are welcome, probably best asked on the DNS WG
> mailing
> list or to the DNS WG co-chairs <http://www.ripe.net/ripe/wg/dns/index.html
> >.
>
> Given the 24 Nov deadline and to allow some time for the evalutaion
> of the
> list traffic, you are kindly asked to send your explicit statements
> to this
> list no later than
>
> Friday, 21 Nov 2008 12:00 UTC.
>
> Thanks in advance for your consideration!
>
> -Peter Koch [DNS WG co-chair]
>
> -----------------------------------------------------------------------------
>
> #
> # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $
> #
>
> The RIPE community thanks the NTIA for its consultation on proposals
> to sign the root and is pleased to offer the following response to
> that consultation. We urge the adoption of a solution that leads to
> the prompt introduction of a signed root zone. Our community considers
> the introduction of a signed root zone to be an essential enabling
> step towards widespread deployment of Secure DNS, DNSSEC. This view
> is supported by the letter from the RIPE community to ICANN as an
> outcome of discussions at the May 2007 RIPE meeting in Tallinn:
> http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf.
>
> It is to be expected that a community as diverse as RIPE cannot have a
> unified set of detailed answers to the NTIA questionnaire. However
> several members of the RIPE community will be individually responding
> to that questionnaire. We present the following statement as the
> consensus view of our community about the principles that should form
> the basis of the introduction of a signed DNS root.
>
> 1. Secure DNS, DNSSEC, is about data authenticity and integrity and
> not about control.
>
> 2. The introduction of DNSSEC to the root zone must be made in such a
> way that it is accepted as a global initiative.
>
> 3. Addition of DNSSEC to the root zone must be done in a way that does
> not compromise the security and stability of the Domain Name System.
>
> 4. When balancing the various concerns about signing the root zone,
> the approach must provide an appropriate level of trust and confidence
> by offering an optimally secure solution.
>
> 5. Deployment of a signed root should be done in a timely but not
> hasty manner.
>
> 6. Updates from TLD operators relating to DNSSEC should be aligned
> with the operational mechanisms for co-ordinating changes to the root
> zone.
>
> 7. If any procedural changes are introduced by the deployment of
> DNSSEC they should provide sufficient flexibility to allow for the
> roles and processes as well as the entities holding those roles to be
> changed after suitable consultations have taken place.
>
> 8. Policies and processes for signing the root zone must be
> transparent and trustworthy, making it straightforward for TLDs to
> supply keys and credentials so the delegations for those TLDs can
> benefit from a common DNSSEC trust anchor, the signed root.
>
> 9. There is no technical justification to create a new organisation to
> oversee the process of signing of the root.
>
> 10. No data should be moved between organisations without appropriate
> authenticity and integrity checking, particularly the flow of keying
> material between a TLD operator and the entity that signs the root.
>
> 11. The public part of the key signing key must be distributed as
> widely as possible.
>
> 12. The organisation that generates the root zone file must sign the
> file and therefore hold the private part of the zone signing key.
>
> 13. Changes to the entities and roles in the signing process must not
> necessarily require a change of keys.
>
> -----------------------------------------------------------------------------
>
>
