[dns-wg] one more effort on the NTIA response
- Previous message (by thread): [dns-wg] one more effort on the NTIA response
- Next message (by thread): [dns-wg] one more effort on the NTIA response
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Antoin Verschuren
Antoin.Verschuren at sidn.nl
Thu Nov 13 11:32:30 CET 2008
Oops, I replied to the wrong email. I meant I feel confortable with this latest version of the draft, 1,8. Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310 PO Box 5022 6802 EA Arnhem The Netherlands T +31 26 3525500 F +31 26 3525505 M +31 6 23368970 E antoin.verschuren at sidn.nl W http://www.sidn.nl/ > -----Original Message----- > From: dns-wg-admin at ripe.net [mailto:dns-wg-admin at ripe.net] On Behalf Of > Jim Reid > Sent: Monday, November 10, 2008 9:57 AM > To: dns-wg at ripe.net > Subject: [dns-wg] one more effort on the NTIA response > > Colleagues, I am sorry to say that we have still not reached consensus > on the proposed response to the NTIA NoI. After discussing this > yesterday the WG co-chairs felt that further work is needed. We have > also had reliable feedback that Friday's draft was being > misinterpreted by some of the likely audience for this response > outside the WG. I have taken guidance from an informal editing group > to tweak the response to clear up the ambiguity and potential for > misunderstanding. So we now have an updated draft response to consider. > > The intention is still to try and get consensus in the WG, ideally on > the text below. If that can be achieved in the next few days, we will > then endeavour to get consensus from the RIPE community. And if that > is done, the agreed text will go to NTIA as a statement of the RIPE > community. The NTIA deadline makes this a delicate balancing act. On > the one hand, there's little time left for further discussion. On the > other, there needs to be reasonable discussion time in both the WG and > RIPE lists so that the validity of our procedures are not undermined. > Please bear this in mind before commenting about the latest draft on > the list. > > Please take a look at the latest revised version below. As before, I > would ask you to only comment about any matters that you consider to > be showstoppers and provide suggested alternate text. Please try not > to focus on minor tweaks to the language as that will divert us all > from the matter at hand. And take time we don't really have to spare. > > Remember too that we're trying to get consensus within the WG. This is > hard because there are differing views about how the root could or > should be signed. There may be wording in the text below that is not > to your personal taste. And other WG members may well be uncomfortable > with the stuff in the draft that you like. However I hope we can all > agree the latest draft is a fair reflection of the collective view of > the WG. Some compromise and good sense from all of us is needed to > keep this thing on track. > > Don't forget that what we're doing here is expressing the view of the > WG (or the RIPE community?) *as a whole*. This does not prevent any of > you from making your own personal or professional representations to > the NTIA, something I encourage all of you to do. If some of the > detail is not to your personal taste, please think carefully about > whether it's better to handle that inside the WG in the time available > or by making a personal submission to NTIA. So unless there's > something in the draft below that you think makes us look bad/stupid/ > wrong, can I ask for your support on this latest version? > > Oh, and if you are happy with the latest draft, please say so on the > list. Your WG co-chairs will feel a lot more comfortable declaring > consensus when there are positive statements to that effect on the > list. This is far better than presuming a default of silence implies > consent. > > # > # $Id: ntia-draft,v 1.8 2008/11/09 17:28:20 jim Exp $ > # > > The RIPE community (or DNS WG?) thanks the NTIA for its consultation > on proposals to sign the root and is pleased to offer the following > response to that consultation. We urge the adoption of a solution that > leads to the prompt introduction of a signed root zone. Our community > considers the introduction of a signed root zone to be an essential > enabling step towards widespread deployment of Secure DNS, DNSSEC. > > It is to be expected that a community as diverse as RIPE cannot have a > unified set of detailed answers to the NTIA questionnaire. However > several > members of the RIPE community will be individually responding to that > questionnaire. We present the following statement as the consensus > view of our community (or the DNS Working Group?) about the principles > that should form the basis of the introduction of a signed DNS root. > > 1. Secure DNS, DNSSEC, is about data authenticity and integrity and > not about control. > > 2. The introduction of DNSSEC to the root zone must be made in such a > way that it is accepted as a global initiative. > > 3. Addition of DNSSEC to the root zone must be done in a way that does > not compromise the security and stability of the Domain Name System. > > 4. When balancing the various concerns about signing the root zone, > the approach must provide an appropriate level of trust and confidence > by offering an optimally secure solution. > > 5. Deployment of a signed root should be done in a timely but not > hasty manner. > > 6. Updates from TLD operators relating to DNSSEC should be aligned > with the operational mechanisms for co-ordinating changes to the root > zone. > > 7. If any procedural changes are introduced by the deployment of > DNSSEC they should provide sufficient flexibility to allow for the > roles and processes as well as the entities holding those roles to be > changed after suitable consultations have taken place. > > 8. Policies and processes for signing the root zone must be > transparent and trustworthy, making it straightforward for TLDs to > supply keys and credentials so the delegations for those TLDs can > benefit from a common DNSSEC trust anchor, the signed root. > > 9. There is no technical justification to create a new organisation to > oversee the process of signing of the root. > > 10. No data should be moved between organisations without appropriate > authenticity and integrity checking, particularly the flow of keying > material between a TLD operator and the entity that signs the root. > > 11. The public part of the key signing key must be distributed as > widely as possible. > > 12. The organisation that generates the root zone file must sign the > file and therefore hold the private part of the zone signing key. > > 13. Changes to the entities and roles in the signing process must not > necessarily require a change of keys. >
- Previous message (by thread): [dns-wg] one more effort on the NTIA response
- Next message (by thread): [dns-wg] one more effort on the NTIA response
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]