[ppml] Signing the Public DNS Root - Discussion at ARIN XI

Michael.Dillon at radianz.com Michael.Dillon at radianz.com
Fri Mar 7 05:20:58 EST 2003


>:The proposal states the requirements of the RIRs would be to:
>  * establish a secure out-of-band communication path in
>    collaboration with the signing operators which will be used 
>    for authenticated exchange of the unsigned keyset.
>  * periodically generate strong keys using a good random number
>    generator
>  * manage their keys (i.e. use them for signing the operator 
>    keyset and keeping the private key appropriately secret)

Sounds like another good reason for ARIN technical folks to get up to 
speed on running LDAP servers.

>  Is this a task that should be performed by ARIN?

Definitely yes. When IPv6 is widely deployed there will be a lot less 
address allocation activity which will lead to the RIRs withering and 
dying (or consolidating into one global IR). Unless, of course, there are 
tasks that the RIRs can take on which are useful to the Internet 
community.

Since the core function of an RIR is to provide a single authoritative 
source for bits of Internet infrastructure information, this task is 100% 
on target. IP addresses and AS numbers and DNS signing keys are all the 
same. They are all pieces of Internet infrastructure information that need 
to be available from an authoritative source.

May I suggest, that in preparation for the Memphis meeting, ARIN 
management should give some thought towards a roadmap document for ARIN's 
future that incorporates various known events even if we don't know the 
timing. For instance DNSSEC is one, IPv6 is another. I would stretch this 
to include some sort of PKI as well as some sort of mail server 
authentication. This assumes that the day will come when there is 
widespread need for electronic signatures and therefore a need for some 
organization to manage the top levels of the authority hierarchy for 
these. And it also assumes that we will replace unsecured SMTP with an 
alternative email channel based on an authority hierarchy that provides a 
form of email callerID. This would require email servers to defer to an 
authoritative source, like ARIN, to authenticate other email servers.

--Michael Dillon






More information about the ARIN-PPML mailing list