[arin-ppml] ARIN discontinuing DNSSEC capability to legacy holders
marka at isc.org
Fri Oct 5 02:08:54 EDT 2018
> On 5 Oct 2018, at 3:52 pm, David Farmer <farmer at umn.edu> wrote:
> On Thu, Oct 4, 2018 based on the
> at 1:15 PM Bill Woodcock <woody at pch.net> wrote:
> > On Oct 4, 2018, at 11:10 AM, John Curran <jcurran at arin.net> wrote:
> > ARIN had been inconsistent in our approach to ... DNSSEC services over the years.
> There is no room for inconsistency in the application of security.
> You’re entirely missing Michael’s point. DNSSEC is not a _treat_ that you dangle in front of universities, it’s an operational requirement for _the whole Internet_, of which your paying members are constituents. You’re denying _me_ the ability to use DNSSEC to validate addresses any time you prevent anyone from registering a DS record.
> This is a complicated problem. DNSsec is about identity and is not merely a technical protocol. It requires that trust is built and maintained between the entities in the DNS tree, this trust is structured heretically so that everyone doesn't have to maintain trust with everyone else. Through this heretical structure, trust is built through validating and certifying the parties involved and this trust is then legally enshrined in contracts between the entities involved. The fact that the other parties in the tree have contracted with the entity higher in the tree, in this case, ARIN, is why you can trust them. Without those contracts, there is no way to enforce consequences for misbehavior and the trust will eventually be broken. The contracts are the basis for the trust needed by the system and without this trust, there is no need for the DNSsec protocol.
If ARIN will update/add NS records then they should update/ns DS records. THERE IS ZERO DIFFERENCE IN THE TRUST REQUIRED. DNSSEC does not magically require that you need
to do more diligence before making a change. If ARIN is willing to change NS records then
whatever requirements they have to permit that change is ALL they should need to permit DS
records to be changed.
> ARIN has to have contracts with all entities participating in DNSSec and RPKI through it for the schemes to work, even that may not be enough to for these schemes to work, but without that there is no way for these schemes to work.
> The financial issues are completely separate from why contracts are necessary. However, life sure is easier when everyone is paying their fair share, but in this case, I don't think fair needs to be an equal share.
> David Farmer Email:farmer at umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE Phone: 612-626-0815
> Minneapolis, MN 55414-3029 Cell: 612-812-9952
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> Please contact info at arin.net if you experience any issues.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the ARIN-PPML