[arin-ppml] ARIN discontinuing DNSSEC capability to legacy holders

Michael Sinatra michael+ppml at burnttofu.net
Fri Oct 5 14:03:10 EDT 2018

On 10/4/18 11:08 PM, Mark Andrews wrote:

>> This is a complicated problem.  DNSsec is about identity and is not merely a technical protocol. It requires that trust is built and maintained between the entities in the DNS tree, this trust is structured heretically so that everyone doesn't have to maintain trust with everyone else. Through this heretical structure, trust is built through validating and certifying the parties involved and this trust is then legally enshrined in contracts between the entities involved. The fact that the other parties in the tree have contracted with the entity higher in the tree, in this case, ARIN, is why you can trust them. Without those contracts, there is no way to enforce consequences for misbehavior and the trust will eventually be broken. The contracts are the basis for the trust needed by the system and without this trust, there is no need for the DNSsec protocol.
> If ARIN will update/add NS records then they should update/ns DS records.  THERE IS ZERO DIFFERENCE IN THE TRUST REQUIRED.  DNSSEC does not magically require that you need
> to do more diligence before making a change.  If ARIN is willing to change NS records then
> whatever requirements they have to permit that change is ALL they should need to permit DS
> records to be changed.
>> ARIN has to have contracts with all entities participating in DNSSec and RPKI through it for the schemes to work, even that may not be enough to for these schemes to work, but without that there is no way for these schemes to work.
>> The financial issues are completely separate from why contracts are necessary. However, life sure is easier when everyone is paying their fair share, but in this case, I don't think fair needs to be an equal share.

Thanks all for the responses.  I appreciate the clarifications and other 

I tend to side with Mark A. on this point.  I don't think that DNSSEC is 
or should be a signaling protocol for me to determine whether an entity 
has a contractual relationship with ARIN as opposed to an "implied 
trust" relationship.  And I further agree with Mark that the presence of 
delegation NS records is a substantial statement of implied trust that 
does not materially change with DNSSEC--the latter simply provides a way 
of technically verifying the integrity of an existing implied trust.

That said, I am interested in hearing from David F. or John C. as to 
what kinds of background research is initiated when a (L)RSA is 
initiated.  (Sorry, I arrived at $current_employer only as the execution 
of the contracts was being completed.)  I know that there's a process 
for when a specified transfer occurs, and that process *includes* a 
(L)RSA, but does the (L)RSA trigger the background/history check or is 
it the other way around?

Regarding fees, in the few (3 or so) cases I have seen, covering the 
desired resources under (L)RSA doesn't materially change the fees for 
the organization, so it's more an issue of potential legal encumbrances 
rather than desire for "free" services.  But I realize that's not always 
the case--different organizations may have different reasons for signing 
or not.


More information about the ARIN-PPML mailing list