[dns-wg] RIPE NCC DNSSEC trust anchors

Dear Collegues,

Our message from last Thursday (see
https://www.ripe.net/ripe/mail/archives/dns-wg/2014-November/002981.html) has
stirred a significant amount of discussion. Trying to summarize the
responses on the mailing list, I came to the below list of topics:

/1 Why does any zone under 62.in-addr.arpa have to be in the DLV? Since
62/8 is under RIPE NCC control, it can be properly signed.
/2 Why does RIPE NCC still submit key material to the DLV? RIPE NCC
should no longer endorse out-of-band mechanisms for key publication.
/3 Discussion around the current use of ripe.int.
/4 Discussion around the current use of ripen.cc.

I will try to answer each of these point separately.

1/ While the RIPE NCC controls 62/8, the delegations under it are not
necessarily under our control. Specifically the /24 mentioned in the
original post is part of 62.76/16, which is delegated to the Russian
Institute for Public Networks (RIPN). RIPN does not sign its zones,
therefore we have been using an out of band mechanism.

2/ The RIPE NCC has been publishing this key material out of band for
historical reasons. If there is a consensus in the WG that this is no
longer needed, or even undesirable, we are happy to phase out the use of
the DLV.

3/ RIPE NCC has been assigned ripe.int in the early 2000's. We are
currently not using ripe.int, other than by redirecting to ripe.net. If
the community advises the RIPE NCC to request IANA to sign .int, we can
spend some effort on this, but we'd like to follow up on this separately.

4/ Ripen.cc is a historical artifact. RIPE NCC is not currently using it
and we are not planning any future use. Releasing the domain is an
operational decision that we may take in the future.

Kind regards,
Romeo Zwart
RIPE NCC