[arin-ppml] ARIN discontinuing DNSSEC capability to legacy holders
Michael Sinatra
michael+ppml at burnttofu.net
Fri Oct 5 14:03:10 EDT 2018
On 10/4/18 11:08 PM, Mark Andrews wrote:
>> This is a complicated problem. DNSsec is about identity and is not merely a technical protocol. It requires that trust is built and maintained between the entities in the DNS tree, this trust is structured heretically so that everyone doesn't have to maintain trust with everyone else. Through this heretical structure, trust is built through validating and certifying the parties involved and this trust is then legally enshrined in contracts between the entities involved. The fact that the other parties in the tree have contracted with the entity higher in the tree, in this case, ARIN, is why you can trust them. Without those contracts, there is no way to enforce consequences for misbehavior and the trust will eventually be broken. The contracts are the basis for the trust needed by the system and without this trust, there is no need for the DNSsec protocol.
>
> If ARIN will update/add NS records then they should update/ns DS records. THERE IS ZERO DIFFERENCE IN THE TRUST REQUIRED. DNSSEC does not magically require that you need
> to do more diligence before making a change. If ARIN is willing to change NS records then
> whatever requirements they have to permit that change is ALL they should need to permit DS
> records to be changed.
>
>> ARIN has to have contracts with all entities participating in DNSSec and RPKI through it for the schemes to work, even that may not be enough to for these schemes to work, but without that there is no way for these schemes to work.
>>
>> The financial issues are completely separate from why contracts are necessary. However, life sure is easier when everyone is paying their fair share, but in this case, I don't think fair needs to be an equal share.
Thanks all for the responses. I appreciate the clarifications and other
statements.
I tend to side with Mark A. on this point. I don't think that DNSSEC is
or should be a signaling protocol for me to determine whether an entity
has a contractual relationship with ARIN as opposed to an "implied
trust" relationship. And I further agree with Mark that the presence of
delegation NS records is a substantial statement of implied trust that
does not materially change with DNSSEC--the latter simply provides a way
of technically verifying the integrity of an existing implied trust.
That said, I am interested in hearing from David F. or John C. as to
what kinds of background research is initiated when a (L)RSA is
initiated. (Sorry, I arrived at $current_employer only as the execution
of the contracts was being completed.) I know that there's a process
for when a specified transfer occurs, and that process *includes* a
(L)RSA, but does the (L)RSA trigger the background/history check or is
it the other way around?
Regarding fees, in the few (3 or so) cases I have seen, covering the
desired resources under (L)RSA doesn't materially change the fees for
the organization, so it's more an issue of potential legal encumbrances
rather than desire for "free" services. But I realize that's not always
the case--different organizations may have different reasons for signing
or not.
thanks,
michael
More information about the ARIN-PPML
mailing list