[arin-ppml] ARIN discontinuing DNSSEC capability to legacy holders

Michael Sinatra michael+ppml at burnttofu.net
Thu Oct 4 12:29:14 EDT 2018


All of my $employer's number resources are covered by RSA or LRSA, but I 
have received word of an apparent change in ARIN operational policy from 
holders of legacy resources who are not 100% covered by RSA or LRSA.

The change is that ARIN is (or will soon be) no longer accepting DNSSEC 
DS records for reverse DNS for those resources that are not covered by 
RSA or LRSA.  This is a change from current operational practice, and it 
effectively disables the *community's* ability to validate reverse DNS 
for these holders.

Speaking for myself as a member of the community, I object to this 
change in practice on three counts:

1. While the value of DNSSEC in reverse DNS is *currently* limited, 
moreso than for forward DNS, that value is greater than zero, and there 
may be schemes in the future that make good use of DNSSEC-signed reverse 
DNS (e.g. other trusted mechanisms to signal routing policy), and these 
may have significant value in the future.  At any rate, this is an 
operational decision, not an ARIN decision, and it has operational 
implications that are not immediately pursuant to number resource policy.

2. DNSSEC in general provides value *both* to the entity that signs DNS 
resource records *and* to the distinct entity that validates those 
signed RRs.  Taking away the DNSSEC chain of trust (i.e. DS record 
support in the parent zone) for a certain set of entities for whatever 
reason has the effect of removing value from the rest of the community 
that validates these DNS records.  In other words, ARIN has punished the 
entire community--even those with all resources under an RSA or LRSA. 
This was done with, AFAICT (and I have searched my own email as well as 
public mailing lists), zero consultation with the affected 
community--and, to restate, the affected community is all of us, 
regardless of (L)RSA status.

3. DNSSEC is part of the DNS protocol.  Picking and choosing which parts 
of a protocol to support is exactly the sort of behavior that has drawn 
the ire of our community in the past.  Recall the equipment vendors that 
tried to make IPv6 a "value-added service" and charged extra licensing 
fees just to use what many of us consider to simply be part of the 
Internet Protocol.  This also has the effect of slowing adoption of a 
technology that benefits the entire community.

I question the community-stewardship value of taking this action.  In 
fact, as I have stated above, I believe that ARIN's actions have 
negative value to the community, including those of us who have 
agreements with ARIN and are trying to play by the rules.

I have a few requests:

1. That ARIN staff reverse this decision, at least for a period of time 
for the larger community to assess the negative value to the Internet 
community as a whole.  And, if there was community consultation and I 
missed it, please let me know and please register my objection to the 
change in policy at this time.

2. That the current Board and Board Candidates state their position on 
this matter.  For the Board Candidates, I would appreciate their stating 
their position prior to the end of the election period, ideally at the 
meetings in Vancouver currently ongoing.

I realize this may not be spot-on-topic for PPML, but at this point, I 
am unsure where to post this, other than possibly NANOG.  I am happy to 
take this conversation elsewhere, but I believe the conversation needs 
to happen in a public forum.

Thanks for reading another of my long emails.

More information about the ARIN-PPML mailing list