[afnog] Signing root zone

McTim dogwallah at gmail.com
Thu Nov 6 11:23:51 UTC 2008


On Thu, Nov 6, 2008 at 1:30 PM, Stephane Bortzmeyer <bortzmeyer at nic.fr>wrote:

> On Thu, Nov 06, 2008 at 09:40:41AM +0000,
>  alain aina <aalain at trstech.net> wrote
>  a message of 18 lines which said:
> > Would be good if our community say something, at least encourage
> > root signing
> Why?

Because this may be our one and only chance?

> I mean, how many people here sign their zone and/or enable DNSSEC
> validation on their resolvers?

probably zero.

Since comments are due on November 24, 2008, I think we would have to agree
on a short, non-controversial statement about this before Mauritius.

I suggest this text:

"The African Network Operators Group urges the DNSSEC signing of the root
zone file for the security and stability of the Internet and for it's users.

As network operators, we realize that we have a role to play in securing the
Internet for the users of our networks.  DNSSEC implementation at the root
will make the task of deploying DNSSEC on our networks easier."

FYI, here is the version that the RIPE community is about to agree on for
your reference:

#       $Id: ntia-draft,v 1.4 2008/11/03 10:25:25 jim Exp $

RIPE welcomes the NTIA's consultation on the proposals to sign the
root and is pleased to support that effort. We urge the NTIA to adopt
a solution that leads to a prompt signed root zone. The solution must
not compromise the stability and integrity of the root zone management
process. It should be flexible enough to allow for the entities and
roles involved in the process to be replaced or for the process itself
to be replaced. The solution should minimise reasonable concerns,
whether they are of a political, economic or business nature.

It is to be expected that a community as diverse as RIPE cannot have a
unified set of detailed answers to the NTIA questionnaire. However several
members of the RIPE community will be individually responding to that
questionnaire. We present the following statement as the consensus
view of our community (or the DNS Working Group?) about the principles
that should form the basis of the introduction of a signed DNS root.

1. Secure DNS, DNSSEC, is about data authenticity and integrity and
not about control.

2. The introduction of DNSSEC to the root zone must be recognised as a
global initiative.

3. Addition of DNSSEC to the root zone must be done in a way that the
security and stability of the Domain Name System is not at risk.

4. Deployment of a signed root should be done in a timely but not
hasty manner.

5. To assist with a timely deployment, any procedural changes
introduced by DNSSEC should be aligned with the current process for
coordinating changes to and the distribution of the root zone. However
those procedural changes should provide sufficient flexibility to
allow for the roles and processes as well as the entities holding
those roles to be changed after suitable consultations have taken

6. Policies and processes for signing the root zone should make it
easy for TLDs to supply keys and credentials so the delegations for
those TLDs can be signed.

7. There is no technical justification to create a new organisation to
oversee the process of signing of the root.

8. No data should be moved between organisations without appropriate
authenticity and integrity checking.

9. The public part of the key signing key must be distributed as
widely as possible.

10. The organisation that generates the root zone file must hold the
private part of the zone signing key.

11. Changes to the entities and roles in the signing process must not
necessarily require a change of keys.

12. When balancing the various concerns about signing the root zone,
the chosen approach must provide an appropriate level of trust and
confidence by offering a maximally secure technical solution.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://afnog.org/pipermail/afnog/attachments/20081106/b71e8acf/attachment-0002.html>

More information about the afnog mailing list