[staff] [local-ir at ripe.net]signing the roots

Dear colleagues,

At the DNS-WG at the last RIPE meeting (RIPE 44) Johan Ihren presented
his proposal for an interim scheme for signing the public DNS root.  The
current version of this Internet-Draft is:

    draft-ietf-dnsop-interim-signed-root-01.txt

The full text of this Internet-Draft can be found at:

http://www.ietf.org/internet-drafts/draft-ietf-dnsop-interim-signed-root-01.txt

In the Internet-Draft, a mechanism has been proposed for a first stage 
of a transition from a unsigned DNS root to a signed root, such that the 
data in the root zone is accompanied by DNSSEC signatures to allow 
validation. The process of doing this involves the use of a set of 
operator keys which are signed by one key signing key, sometimes 
referred to a "master key".  It has been further proposed that these key 
signing keys be managed by the Regional Internet Registries (RIRs).

The proposal states the requirements of the RIRs would be to:

    * establish a secure out-of-band communication path in collaboration
with the signing operators which will be used for authenticated exchange
of the unsigned keyset.

    * periodically generate strong keys using a good random number
      generator

    * manage their keys (i.e. use them for signing the operator keyset
and keeping the private key appropriately secret)


Question:

Since this Internet-Draft suggests future action by the RIRs, the RIPE
community should discuss this issue and provide feedback to the author.
   Therefore, the following question is asked:

    Is this a task that should be performed by the RIPE NCC?

Please direct your feedback to dns-wg at ripe.net mailing list.


Regards,


Andrei Robachevsky
CTO, RIPE NCC