[ppml] Signing the Public DNS Root - Discussion at ARIN XI
william at elan.net
william at elan.net
Fri Mar 7 12:25:40 EST 2003
I agree what you say here about the future (except ipv6 - need for new
ipv6 distribution would still exist even in far future) and what ARIN
needs to do. But ARIN is generally slow, so lets just keep our focus and
do dnssec for root first and then move to PKI next (which actually has
been discussed slightly on San Francisco meeting a two year ago and in
Las Vegas a year ago as well). In the end if we got all the things you
mention (DnsSec, PKI, ipv6, LDAP CRISP) started by 2010, I'll actually be
quite happy :)
Oh, regarding LDAP, considering current arin situation, I'll try to do it
all on my own and mirror ARIN data and provide it through CRISP (which is
actually LDAP) protocol. I'll have presentation ready for next meeting
after Memphis. If people like it, I'm sure we can encorage ARIN to do the
same and in the end they will when CRISP begins to be deployed.
On Fri, 7 Mar 2003 Michael.Dillon at radianz.com wrote:
> >:The proposal states the requirements of the RIRs would be to:
> > * establish a secure out-of-band communication path in
> > collaboration with the signing operators which will be used
> > for authenticated exchange of the unsigned keyset.
> > * periodically generate strong keys using a good random number
> > generator
> > * manage their keys (i.e. use them for signing the operator
> > keyset and keeping the private key appropriately secret)
>
> Sounds like another good reason for ARIN technical folks to get up to
> speed on running LDAP servers.
>
> > Is this a task that should be performed by ARIN?
>
> Definitely yes. When IPv6 is widely deployed there will be a lot less
> address allocation activity which will lead to the RIRs withering and
> dying (or consolidating into one global IR). Unless, of course, there are
> tasks that the RIRs can take on which are useful to the Internet
> community.
>
> Since the core function of an RIR is to provide a single authoritative
> source for bits of Internet infrastructure information, this task is 100%
> on target. IP addresses and AS numbers and DNS signing keys are all the
> same. They are all pieces of Internet infrastructure information that need
> to be available from an authoritative source.
>
> May I suggest, that in preparation for the Memphis meeting, ARIN
> management should give some thought towards a roadmap document for ARIN's
> future that incorporates various known events even if we don't know the
> timing. For instance DNSSEC is one, IPv6 is another. I would stretch this
> to include some sort of PKI as well as some sort of mail server
> authentication. This assumes that the day will come when there is
> widespread need for electronic signatures and therefore a need for some
> organization to manage the top levels of the authority hierarchy for
> these. And it also assumes that we will replace unsecured SMTP with an
> alternative email channel based on an authority hierarchy that provides a
> form of email callerID. This would require email servers to defer to an
> authoritative source, like ARIN, to authenticate other email servers.
>
> --Michael Dillon
>
More information about the ARIN-PPML
mailing list