[arin-ppml] ARIN discontinuing DNSSEC capability to legacy holders
hostmaster at uneedus.com
hostmaster at uneedus.com
Sat Oct 6 18:50:18 EDT 2018
The reason that this issue is so difficult is the funding model of DNS has
changed over the years, and the formation of ARIN has never completely
addressed that issue.
In the beginning days, DNS was in fact a large shared host file, installed
on every machine. In effect, the cost of adding hosts to the shared file
was indirectly paid by the public entity that was paying the salary of
those that maintained the host file, and the downloading and local costs
were borne by each node.
When port 53 DNS was established, costs were distributed among all
connected nodes because each connected network needed to have at least 2
DNS servers connected to the network. There was some central
administration involved, but that was paid by taxes or grants and not
directly by the holder.
At the time the original poster received his resources, there was no
charge for receiving numbering resources, and grants and other government
funding was paying for the reverse DNS function, and the individual
resource holder was not charged, nor was there any contract for the
reverse dns. The resource holder was responsible for providing 2 or more
dns servers, and the maintainer of the reverse zone would point to those
servers, and the remainder of the cost and responsibility for the dns
servers was borne by the resource holder.
The discussion of NetSol obtaining the contract, and the charge for a 2
year period had to do with domain names, not numbering resources. If the
holder wanted domain names, they could be obtained from NetSol, or from
other registries if eligible such as .edu or .us. These fees did not go
toward numbering resources. In the very beginning, these were also free.
Before ARIN, the reverse zone was provided via Internic, which I believe
was publically funded. Currently the .arpa zone used for reverse DNS in
IPv4 is operated by Verisign GRS under contract to IANA. Each of the
reverse zone /8s of the internet are in turn delegated to the holder of
that /8, which is either one of the RIR's or the legacy holder of that /8.
This is why these legacy holders holding an /8 can get DNSSEC to work
regardless of the wishes of ARIN, since ARIN is not in the chain of trust,
and therefore has no control whatsoever over this issue.
Those legacy holders with less than an /8 have ARIN in the trust path for
DNSSEC and cannot receive DNSSEC (or RPKI) without the involvment of ARIN.
As to the total /24's shown in the chart, I suspect that the greatest
majority in total number of /24's are part of legacy /8's, who quite
frankly have legal teams that tell them not to sign an (L)RSA, since that
might take away commercial rights that they might have in the resources.
The term "freeloader" is a loaded term and as pointed out this discussion
has been going on unresolved since the formation of ARIN. It could be
also be argued that those receiving number resources prior to ARIN when
charges were not being made have a valid point. Along comes ARIN, who
wants to tax/charge/fee the resource holder for services that were never
directly charged for prior to ARIN, and they do not consider this to be
right, since they never had any kind of agreement with ARIN.
The basic problem from the smaller than /8 legacy holder prospective is
that IANA has delegated the reverse /8 containing their legacy resources
to ARIN, injecting ARIN in the middle of this. It is not possible
therefore to get DNSSEC or any other DNS service on the reverse zone
working without ARIN's help. One could say that this was done without the
"permission" of the resource holder at the time. ARIN's website states
"At its formation, the ARIN Board of Trustees decided that ARIN would
provide registration services for these legacy number resources without
requiring the original resource holders to enter into a registration
services agreement or pay service fees." I suspect this was done to avoid
an issue with the legacy holders, who at the time of ARIN formation likely
controled a majority of the assigned numbering space and could have caused
quite a stink for ARIN over any charges.
I personally think the fee schedule needs to charge larger resource
holders much more than the small resource holder. Looking at the fee
chart, if I hold a single /24, the least I will pay is $150/year. If I opt
to become a member, I am 3 X small and pay $250/year. If I am a large
player and hold a /8 (65536 /24's), I am 3 X large and pay $64,000/year
for membership. That is only 98 cents per /24, compared to the small
player that gets to pay either $150 or $300 per year. At the very top of
the chart, that becomes 48 cents per /24 if I hold a /5 (larger than a
/6). While efforts have been made to increase fees to larger players, it
is still not distributed evenly based on a per resource basis.
Based upon the rates per /24 charged to larger players, that "freeloader"
is costing ARIN $2/year or less. On the other hand, DNSSEC does benefit
the security of the ENTIRE community, including those in other RIR
regions. While many at ARIN and elseware do not like providing those
"free" services to those legacy holders, DNSSEC is a benefit to ALL the
community. Since IANA runs the root of the .arpa reverse zone, maybe
costs should be funded by IANA and their 18 cent domain tax.
The amount of true cost for small players is in my opinion higher than the
cost of collection of a fair fee of $1 or less per /24 per year. Remember,
these small players include not only the original poster, but other
organizations including Berea College (BEREAC), a college with a billion
dollar endowment, who clearly would appear from ARIN's prospective to able
to afford a membership, but also choose to be a "freeloader". They hold
but a single legacy /24, and choose instead to use their resources to
provide tuition free education to their entire student body rather than
paying annually for an ARIN membership.
I do not know what will be the answer, or if this will ever be solved
until IPv6 becomes the primary transport on the internet. I think the
price of IPv4 resources will be like a bell curve, and we will start
seeing the price of IPv4 blocks start to sink once IPv6 becomes the
primary transport. How many years before this happens, I do not know.
Albert Erdmann
Network Administrator
Paradise On Line Inc.
On Sat, 6 Oct 2018, Jo Rhett wrote:
> On Oct 6, 2018, at 12:47 PM, Lee Dilkie <lee at dilkie.com> wrote:
>> On 2018-10-05 00:40, Jo Rhett wrote:
>>> Refusing to authenticate resources used by holders who cannot be validated is a feature, not a bug.
>>
>> And validation of a resouce holder isn't the same thing as holding an RSA contract. Let's be clear about that, they are different issues.
>
> No entity, even government entities, are required to provide services to people who won't sign the current service agreement.
>
> --
> Jo Rhett
> Net Consonance : net philanthropy to improve open source and internet projects.
>
>
More information about the ARIN-PPML
mailing list