[arin-ppml] ARIN discontinuing DNSSEC capability to legacy holders
Michael Sinatra
michael+ppml at burnttofu.net
Thu Oct 4 12:29:14 EDT 2018
Hi,
All of my $employer's number resources are covered by RSA or LRSA, but I
have received word of an apparent change in ARIN operational policy from
holders of legacy resources who are not 100% covered by RSA or LRSA.
The change is that ARIN is (or will soon be) no longer accepting DNSSEC
DS records for reverse DNS for those resources that are not covered by
RSA or LRSA. This is a change from current operational practice, and it
effectively disables the *community's* ability to validate reverse DNS
for these holders.
Speaking for myself as a member of the community, I object to this
change in practice on three counts:
1. While the value of DNSSEC in reverse DNS is *currently* limited,
moreso than for forward DNS, that value is greater than zero, and there
may be schemes in the future that make good use of DNSSEC-signed reverse
DNS (e.g. other trusted mechanisms to signal routing policy), and these
may have significant value in the future. At any rate, this is an
operational decision, not an ARIN decision, and it has operational
implications that are not immediately pursuant to number resource policy.
2. DNSSEC in general provides value *both* to the entity that signs DNS
resource records *and* to the distinct entity that validates those
signed RRs. Taking away the DNSSEC chain of trust (i.e. DS record
support in the parent zone) for a certain set of entities for whatever
reason has the effect of removing value from the rest of the community
that validates these DNS records. In other words, ARIN has punished the
entire community--even those with all resources under an RSA or LRSA.
This was done with, AFAICT (and I have searched my own email as well as
public mailing lists), zero consultation with the affected
community--and, to restate, the affected community is all of us,
regardless of (L)RSA status.
3. DNSSEC is part of the DNS protocol. Picking and choosing which parts
of a protocol to support is exactly the sort of behavior that has drawn
the ire of our community in the past. Recall the equipment vendors that
tried to make IPv6 a "value-added service" and charged extra licensing
fees just to use what many of us consider to simply be part of the
Internet Protocol. This also has the effect of slowing adoption of a
technology that benefits the entire community.
I question the community-stewardship value of taking this action. In
fact, as I have stated above, I believe that ARIN's actions have
negative value to the community, including those of us who have
agreements with ARIN and are trying to play by the rules.
I have a few requests:
1. That ARIN staff reverse this decision, at least for a period of time
for the larger community to assess the negative value to the Internet
community as a whole. And, if there was community consultation and I
missed it, please let me know and please register my objection to the
change in policy at this time.
2. That the current Board and Board Candidates state their position on
this matter. For the Board Candidates, I would appreciate their stating
their position prior to the end of the election period, ideally at the
meetings in Vancouver currently ongoing.
I realize this may not be spot-on-topic for PPML, but at this point, I
am unsure where to post this, other than possibly NANOG. I am happy to
take this conversation elsewhere, but I believe the conversation needs
to happen in a public forum.
Thanks for reading another of my long emails.
michael
More information about the ARIN-PPML
mailing list