[ppml] Signing the Public DNS Root - Discussion at ARIN XI

[Member Services]

This message is not an ARIN policy proposal.  This message is a 
request for feedback.  This issue will be discussed at the 
upcoming ARIN XI meeting.

An Internet-Draft has been written that proposes an interim scheme 
for signing the public DNS root.  The current version of this 
Internet-Draft is:

  draft-ietf-dnsop-interim-signed-root-00.txt

The full text of this Internet-Draft can be found at:

  http://www.ietf.org/ids.by.wg/dnsop.html

In the Internet-Draft, a mechanism has been proposed for a first 
stage of a transition from a unsigned DNS root to a signed root, 
such that the data in the root zone is accompanied by DNSSEC 
signatures to allow validation. The process of doing this involves 
the use of a set of operator keys which are signed by one key 
signing key, sometimes referred to a "master key".  It has been 
further proposed that these key signing keys be managed by the 
Regional Internet Registries (RIRs).

The proposal states the requirements of the RIRs would be to:

  * establish a secure out-of-band communication path in
    collaboration with the signing operators which will be used 
    for authenticated exchange of the unsigned keyset.

  * periodically generate strong keys using a good random number
    generator

  * manage their keys (i.e. use them for signing the operator 
    keyset and keeping the private key appropriately secret)

The author of this Internet-Draft will attend the upcoming 
ARIN XI meeting and will present the main points of the draft 
to meeting attendees.

Question:

Since this Internet-Draft suggests future action by the RIRs, 
the ARIN community should discuss this issue and provide feedback 
to the author.  Therefore, the following question is asked:

  Is this a task that should be performed by ARIN?

Best Regards,

Richard Jimmerson
Director of Operations
American Registry for Internet Numbers (ARIN)