[dns-wg] NTIA response - v5

I have updated the draft response to reflect today's comments. Aside  
from tweaking the introductory paragraph -- I hope this now sets the  
right tone without upsetting Stephane -- the significant change was to  
move Rick's comments about trust to nomber 4 from number 12 on the  
list. This seemed to be a more suitable place for this point.

Is version 5 of the draft now something that the WG as a whole can  
accept?

PS: Please try to avoid suggestions on cosmetic changes to the text  
unless these would improve the clarity. The WG needs to reach  
consensus on a statement in a day or two. So we should try to focus on  
what we are trying to say rather than how we are actually saying it.  
Within reason of course....

#
#	$Id: ntia-draft,v 1.6 2008/11/05 22:36:42 jim Exp $
#

The RIPE community (or DNS WG?) thanks the NTIA for its consultation
on proposals to sign the root and is pleased to offer the following
response to that consultation. We urge the adoption of a solution that
leads to the prompt introduction of a signed root zone. Our community
considers the introduction of a signed root zone to be an essential
enabling step towards widespread deployment of Secure DNS, DNSSEC.

It is to be expected that a community as diverse as RIPE cannot have a
unified set of detailed answers to the NTIA questionnaire. However  
several
members of the RIPE community will be individually responding to that
questionnaire. We present the following statement as the consensus
view of our community (or the DNS Working Group?) about the principles
that should form the basis of the introduction of a signed DNS root.

1. Secure DNS, DNSSEC, is about data authenticity and integrity and
not about control.

2. The introduction of DNSSEC to the root zone must be recognised as a
global initiative.

3. Addition of DNSSEC to the root zone must be done in a way that does
not compromise the security and stability of the Domain Name System.

4. When balancing the various concerns about signing the root zone,
the chosen approach must provide an appropriate level of trust and
confidence by offering a maximally secure technical solution.

5. Deployment of a signed root should be done in a timely but not
hasty manner.

6. To assist with a timely deployment, any procedural changes
introduced by DNSSEC should be aligned with the current process for
coordinating changes to and the distribution of the root zone. However
those procedural changes should provide sufficient flexibility to
allow for the roles and processes as well as the entities holding
those roles to be changed after suitable consultations have taken
place.

7. Policies and processes for signing the root zone should make it
easy for TLDs to supply keys and credentials so the delegations for
those TLDs can be signed.

8. There is no technical justification to create a new organisation to
oversee the process of signing of the root.

9. No data should be moved between organisations without appropriate
authenticity and integrity checking.

10. The public part of the key signing key must be distributed as
widely as possible.

11. The organisation that generates the root zone file must sign the
file and therefore hold the private part of the zone signing key.

12. Changes to the entities and roles in the signing process must not
necessarily require a change of keys.