[arin-ppml] ARIN discontinuing DNSSEC capability to legacy holders

John Curran jcurran at arin.net
Sat Oct 6 00:47:50 EDT 2018

On 5 Oct 2018, at 9:14 PM, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
> Recognizing, as I do, that the PPML is not the best place for me to be
> seeking to cure my ignorance, I hope nontheless that no one here will
> begrudge me too much if I ask just a couple of additional naive (stupid?)
> but arguably pertinent questions:
>   1)  I confess that I know virtually nothing about DNSSEC.  I do know one
>   thing however, which is that there's such a thing, in the world of domain
>   names, as a "self signed" SSL certificate.  Thus, my question:  May the
>   DNSSEC records applicable to rDNS for a given CIDR be self signed?

Your self-signed SSL certificate doesn’t provide any meaningful authentication (hence why many browsers object to them) but does support TLS transport encryption for your web query.   

DNSSEC is solely about authentication of the zone data as being from the legitimate source and that isn’t possible with self-signed keys – i.e. I wouldn’t expect there is a meaningful parallel situation (but will leave it to those with a deeper knowledge of DNSSEC bits to confirm one way or the other…) 

>   2)  John mentioned three separate considerations which, I infer, are the
>   three things that typically motivate some legacy holders to remain outside
>   of the tent, as it were, namely:
>       a)  property rights
>       b)  fees
>       c)  applicability of community-developed policies
>    John and the whole ARIN team already have to deal with levels of complexity
>    that would likely drive most humans mad in short order,    …

(That which does not kill us makes us stronger.)

>    and I am loath to
>    suggest adding anything on top of that, but I can't help wondering if
>    it might not be possible to bring more legacy holders into the tent if
>    the above three things were contractually sliced and diced in ways that
>    made contracts more palatable to holdouts.  (For example, I can imagine
>    that some folks might be OK with paying ordinary fees, but would be
>    reluctant to sign away property rights... to the extent that any such
>    alleged ``rights'' might have any real legal existance.  Others might
>    not want to pay full fees, but might be OK with contractually disavowing
>    property rights.)
>    And yes, that's a question.  I just want to know if such (contractual)
>    slicing and dicing has been considered as a way to get more holdouts into
>    the tent.

As noted earlier, we’ll likely need to reexamine the legal hurdles posed by agreement terms subsequent to the RPKI study. 

We’ve just managed to get all customers on the same terms and conditions (by carrying over the more favorable provisions of the LRSA into the RSA, thus resulting in a single agreement for both purposes), and it is unclear if it it is fair & equitable to provide for a long-term difference in terms and conditions for one group of ARIN customers over another, but it will be considered when looking into the legal hurdles to RPKI and DNSSEC deployment. 


John Curran
President and CEO

More information about the ARIN-PPML mailing list