[arin-ppml] ARIN discontinuing DNSSEC capability to legacy holders

[Ronald F. Guilmette]

In message <AD2CA5A0-6938-4067-9BED-4B1B8C57D9E4 at arin.net>, 
John Curran <jcurran at arin.net> wrote:

>On 5 Oct 2018, at 2:05 PM, Ronald F. Guilmette <rfg at tristatelogic.com>
>wrote:
>> 
>> Would it be possible for ARIN to establish some kind of de minimis
>> validation/authentication fee, enough to cover its costs, but not
>> involving the acceptance of a complete LRSA?
>
>This is likely to be discussed by the ARIN Board in 2019, as a result of
>the ongoing review of legal hurdles related to RPKI services.
>
>It's premature to speculate whether such is a reasonable mechanism
>without a detailed legal analysis it wouldn't be the fee so much as
>the associated services agreement that would likely be the challenging part
>(i.e. the clause that's been cited as a hurdle is the disclaimer of
>property rights, and a reversal in this area would have significant
>implications for the community's ability to have any maintenance fees or
>community-developed policy applied to these address blocks.)

Thanks for the reply John.

I probably should clarify that although, as I said, I do not have a dog in
this fight -now-, there exists a finite non-zero chance that that may change
in the forseeable and near-term future.

In light of that possibility, and considering the content of this discussion
thred so far, I am suddenly and accutely aware of my own utter and abject
ignorance with respect to many, most, or all of the issues which this
discussion has touched upon.

Recognizing, as I do, that the PPML is not the best place for me to be
seeking to cure my ignorance, I hope nontheless that no one here will
begrudge me too much if I ask just a couple of additional naive (stupid?)
but arguably pertinent questions:

   1)  I confess that I know virtually nothing about DNSSEC.  I do know one
   thing however, which is that there's such a thing, in the world of domain
   names, as a "self signed" SSL certificate.  Thus, my question:  May the
   DNSSEC records applicable to rDNS for a given CIDR be self signed?

   If so, then might this be a way to deftly split the baby in two, allowing
   everyone who signs a contract with ARIN to have a chain of trust (for their
   rDNS) which is rooted in ARIN's trustworthyness, while still allowing those
   who wish to remain outside the tent to present to the world some less
   trustworthy but still DNSSEC-secured rNDS records?

   2)  John mentioned three separate considerations which, I infer, are the
   three things that typically motivate some legacy holders to remain outside
   of the tent, as it were, namely:

       a)  property rights
       b)  fees
       c)  applicability of community-developed policies

    John and the whole ARIN team already have to deal with levels of complexity
    that would likely drive most humans mad in short order, and I am loath to
    suggest adding anything on top of that, but I can't help wondering if
    it might not be possible to bring more legacy holders into the tent if
    the above three things were contractually sliced and diced in ways that
    made contracts more palatable to holdouts.  (For example, I can imagine
    that some folks might be OK with paying ordinary fees, but would be
    reluctant to sign away property rights... to the extent that any such
    alleged ``rights'' might have any real legal existance.  Others might
    not want to pay full fees, but might be OK with contractually disavowing
    property rights.)

    And yes, that's a question.  I just want to know if such (contractual)
    slicing and dicing has been considered as a way to get more holdouts into
    the tent.


Regards,
rfg