<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><div><br></div></div></div><div dir="ltr">On Thu, Oct 4, 2018 based on the <br></div><div class="gmail_quote"><div dir="ltr">at 1:15 PM Bill Woodcock <<a href="mailto:woody@pch.net" target="_blank">woody@pch.net</a>> wrote:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> On Oct 4, 2018, at 11:10 AM, John Curran <<a href="mailto:jcurran@arin.net" target="_blank">jcurran@arin.net</a>> wrote:<br>
> ARIN had been inconsistent in our approach to ... DNSSEC services over the years.<br>
<br>
There is no room for inconsistency in the application of security.<br>
<br>
You’re entirely missing Michael’s point. DNSSEC is not a _treat_ that you dangle in front of universities, it’s an operational requirement for _the whole Internet_, of which your paying members are constituents. You’re denying _me_ the ability to use DNSSEC to validate addresses any time you prevent anyone from registering a DS record.<br>
<br>
-Bill</blockquote><div><br></div><div><div>This is a complicated problem. DNSsec is about identity and is not merely a technical protocol. It requires that trust is built and maintained between the entities in the DNS tree, this trust is structured heretically so that everyone doesn't have to maintain trust with everyone else. Through this heretical structure, trust is built through validating and certifying the parties involved and this trust is then legally enshrined in contracts between the entities involved. The fact that the other parties in the tree have contracted with the entity higher in the tree, in this case, ARIN, is why you can trust them. Without those contracts, there is no way to enforce consequences for misbehavior and the trust will eventually be broken. The contracts are the basis for the trust needed by the system and without this trust, there is no need for the DNSsec protocol.</div><div><br></div><div>ARIN has to have contracts with all entities participating in DNSSec and RPKI through it for the schemes to work, even that may not be enough to for these schemes to work, but without that there is no way for these schemes to work. </div><div><br></div><div>The financial issues are completely separate from why contracts are necessary. However, life sure is easier when everyone is paying their fair share, but in this case, I don't think fair needs to be an equal share.</div></div><div><br></div><div>Thanks.</div><div><br></div><div> -- </div></div><div dir="ltr" class="gmail-m_581525499540351981gmail_signature">===============================================<br>David Farmer <a href="mailto:Email%3Afarmer@umn.edu" target="_blank">Email:farmer@umn.edu</a><br>Networking & Telecommunication Services<br>Office of Information Technology<br>University of Minnesota <br>2218 University Ave SE Phone: 612-626-0815<br>Minneapolis, MN 55414-3029 Cell: 612-812-9952<br>===============================================</div></div></div></div></div></div></div></div></div></div></div>