[arin-ppml] ARIN discontinuing DNSSEC capability to legacy holders

John Curran jcurran at arin.net
Thu Oct 4 14:10:10 EDT 2018

On 4 Oct 2018, at 9:29 AM, Michael Sinatra <michael+ppml at burnttofu.net<mailto:michael+ppml at burnttofu.net>> wrote:
The change is that ARIN is (or will soon be) no longer accepting DNSSEC DS records for reverse DNS for those resources that are not covered by RSA or LRSA.  This is a change from current operational practice, and it effectively disables the *community's* ability to validate reverse DNS for these holders.
1. That ARIN staff reverse this decision, at least for a period of time for the larger community to assess the negative value to the Internet community as a whole.  And, if there was community consultation and I missed it, please let me know and please register my objection to the change in policy at this time.

Michael -

It’s an excellent issue, and ppml is a reasonable place to raise it (even if not strictly a matter of number resource policy.)

Back in 2016, we rolled out a single converged registration services agreement (i.e. the "RSA: Version 12.0 / LRSA: Version 4.0”).   This RSA/LRSA contained many important changes that were requested from the community, including clarifying that the agreement is only applicable to "Included Number Resources" (i.e. the Internet number resources pursuant to the agreement, not any other number resources that parties may hold), providing uniform service terms and conditions for all customers receiving services from ARIN, elaborating on the definition of ARIN's services that are covered by the agreement, providing a more balanced agreement with respect to the terms previously seen as favorable to ARIN, and requiring that RSA changes (other than necessary to conform to law) be subject to membership approval.

As part of that rollout, we also made clear our stance regarding what services legacy resource holders get from ARIN absent any agreement – specifically, legacy resource holders get the same services that they received upon ARIN’s formation.  This mirrors the decision that was made at ARIN’s formation 20 years ago to not require existing resource holders to “join ARIN", but instead to continue to provide the same services they were receiving without need for any fee or agreement. With the 2016 RSA/LRSA rollout, we made clear that legacy resource holders who wish to utilize new services would require entry into a registration services agreement with ARIN, just as with all other customers.

Now, regarding the “recent change” you reported – As it turns out, ARIN had been inconsistent in our approach to legacy holders seeking DNSSEC services over the years, and as a result there are about two dozen organizations that are legacy resource holders who are receiving DNSSEC services today from ARIN absent any registration services agreement.  Earlier this year, I directed the ARIN staff to reach out to these organizations to bring them under service agreement so as to be equitable with all parties receiving ARIN services.  I promptly received feedback from some of those affected organizations that they did not see that as an appropriate change, and so we are now only asking that each of them to review the revised RSA to see if it is acceptable for their use, and we are not going be turning off their existing DNSSEC services regardless of that outcome.


John Curran
President and CEO

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20181004/7ee45b56/attachment-0001.html>

More information about the ARIN-PPML mailing list