[arin-ppml] ARIN discontinuing DNSSEC capability to legacy holders

hostmaster at uneedus.com hostmaster at uneedus.com
Sat Oct 6 18:50:18 EDT 2018

The reason that this issue is so difficult is the funding model of DNS has 
changed over the years, and the formation of ARIN has never completely 
addressed that issue.

In the beginning days, DNS was in fact a large shared host file, installed 
on every machine.  In effect, the cost of adding hosts to the shared file 
was indirectly paid by the public entity that was paying the salary of 
those that maintained the host file, and the downloading and local costs 
were borne by each node.

When port 53 DNS was established, costs were distributed among all 
connected nodes because each connected network needed to have at least 2 
DNS servers connected to the network.  There was some central 
administration involved, but that was paid by taxes or grants and not 
directly by the holder.

At the time the original poster received his resources, there was no 
charge for receiving numbering resources, and grants and other government 
funding was paying for the reverse DNS function, and the individual 
resource holder was not charged, nor was there any contract for the 
reverse dns. The resource holder was responsible for providing 2 or more 
dns servers, and the maintainer of the reverse zone would point to those 
servers, and the remainder of the cost and responsibility for the dns 
servers was borne by the resource holder.

The discussion of NetSol obtaining the contract, and the charge for a 2 
year period had to do with domain names, not numbering resources.  If the 
holder wanted domain names, they could be obtained from NetSol, or from 
other registries if eligible such as .edu or .us. These fees did not go 
toward numbering resources.  In the very beginning, these were also free.

Before ARIN, the reverse zone was provided via Internic, which I believe 
was publically funded.  Currently the .arpa zone used for reverse DNS in 
IPv4 is operated by Verisign GRS under contract to IANA.  Each of the 
reverse zone /8s of the internet are in turn delegated to the holder of 
that /8, which is either one of the RIR's or the legacy holder of that /8. 
This is why these legacy holders holding an /8 can get DNSSEC to work 
regardless of the wishes of ARIN, since ARIN is not in the chain of trust, 
and therefore has no control whatsoever over this issue.

Those legacy holders with less than an /8 have ARIN in the trust path for 
DNSSEC and cannot receive DNSSEC (or RPKI) without the involvment of ARIN. 
As to the total /24's shown in the chart, I suspect that the greatest 
majority in total number of /24's are part of legacy /8's, who quite 
frankly have legal teams that tell them not to sign an (L)RSA, since that 
might take away commercial rights that they might have in the resources.

The term "freeloader" is a loaded term and as pointed out this discussion 
has been going on unresolved since the formation of ARIN.  It could be 
also be argued that those receiving number resources prior to ARIN when 
charges were not being made have a valid point.  Along comes ARIN, who 
wants to tax/charge/fee the resource holder for services that were never 
directly charged for prior to ARIN, and they do not consider this to be 
right, since they never had any kind of agreement with ARIN.

The basic problem from the smaller than /8 legacy holder prospective is 
that IANA has delegated the reverse /8 containing their legacy resources 
to ARIN, injecting ARIN in the middle of this.  It is not possible 
therefore to get DNSSEC or any other DNS service on the reverse zone 
working without ARIN's help.  One could say that this was done without the 
"permission" of the resource holder at the time.  ARIN's website states 
"At its formation, the ARIN Board of Trustees decided that ARIN would 
provide registration services for these legacy number resources without 
requiring the original resource holders to enter into a registration 
services agreement or pay service fees."  I suspect this was done to avoid 
an issue with the legacy holders, who at the time of ARIN formation likely 
controled a majority of the assigned numbering space and could have caused 
quite a stink for ARIN over any charges.

I personally think the fee schedule needs to charge larger resource 
holders much more than the small resource holder.  Looking at the fee 
chart, if I hold a single /24, the least I will pay is $150/year. If I opt 
to become a member, I am 3 X small and pay $250/year.  If I am a large 
player and hold a /8 (65536 /24's), I am 3 X large and pay $64,000/year 
for membership.  That is only 98 cents per /24, compared to the small 
player that gets to pay either $150 or $300 per year. At the very top of 
the chart, that becomes 48 cents per /24 if I hold a /5 (larger than a 
/6).  While efforts have been made to increase fees to larger players, it 
is still not distributed evenly based on a per resource basis.

Based upon the rates per /24 charged to larger players, that "freeloader" 
is costing ARIN $2/year or less.  On the other hand, DNSSEC does benefit 
the security of the ENTIRE community, including those in other RIR 
regions.  While many at ARIN and elseware do not like providing those 
"free" services to those legacy holders, DNSSEC is a benefit to ALL the 
community.  Since IANA runs the root of the .arpa reverse zone, maybe 
costs should be funded by IANA and their 18 cent domain tax.

The amount of true cost for small players is in my opinion higher than the 
cost of collection of a fair fee of $1 or less per /24 per year. Remember, 
these small players include not only the original poster, but other 
organizations including Berea College (BEREAC), a college with a billion 
dollar endowment, who clearly would appear from ARIN's prospective to able 
to afford a membership, but also choose to be a "freeloader".  They hold 
but a single legacy /24, and choose instead to use their resources to 
provide tuition free education to their entire student body rather than 
paying annually for an ARIN membership.

I do not know what will be the answer, or if this will ever be solved 
until IPv6 becomes the primary transport on the internet. I think the 
price of IPv4 resources will be like a bell curve, and we will start 
seeing the price of IPv4 blocks start to sink once IPv6 becomes the 
primary transport.  How many years before this happens, I do not know.

Albert Erdmann
Network Administrator
Paradise On Line Inc.

On Sat, 6 Oct 2018, Jo Rhett wrote:

> On Oct 6, 2018, at 12:47 PM, Lee Dilkie <lee at dilkie.com> wrote:
>> On 2018-10-05 00:40, Jo Rhett wrote:
>>> Refusing to authenticate resources used by holders who cannot be validated is a feature, not a bug.
>> And validation of a resouce holder isn't the same thing as holding an RSA contract. Let's be clear about that, they are different issues.
> No entity, even government entities, are required to provide services to people who won't sign the current service agreement.
> -- 
> Jo Rhett
> Net Consonance : net philanthropy to improve open source and internet projects.

More information about the ARIN-PPML mailing list