Call for Support: RIPE response to the US NTIA's NoI

Dear RIPE Community,

as mentioned in my email sent on Monday, the DNS working group has come
up with a response to the US NTIA's Notice of Inquiry (NoI) regarding
the introduction of DNSSEC for the DNS root zone (for details see
<http://www.ntia.doc.gov/DNS/DNSSEC.html>).

The text below reflects the consensus of the DNS working group.

As a follow up to our earlier efforts (see below), the DNS WG suggests that
the response to the NTIA come from the broader RIPE community. So, this is
the DNS WG's request for your support and endorsement of the proposal.

Please read the text and voice your support or opposition.  As mentioned
earlier, we will have to meet an external deadline. Therefore, we are not
looking for editorial suggestions.  Regrettably, it is impractical to further
refine or reword the text, since that would require more editing cycles and
new consensus calls, which time won't permit.
The WG chairs' collective and the RIPE Chair have agreed that it needs
a binary decision on the proposal as presented here.

It is possible that the text doesn't represent the optimum for everyone.
Still, please consider whether you can support it as a community statement.
In any case, the NoI is open for anybody, so you might want to send
your individual response and/or contribute to other group efforts, as well.

Clarifying questions are welcome, probably best asked on the DNS WG mailing
list or to the DNS WG co-chairs <http://www.ripe.net/ripe/wg/dns/index.html>.

Given the 24 Nov deadline and to allow some time for the evalutaion of the
list traffic, you are kindly asked to send your explicit statements to this
list no later than

		Friday, 21 Nov 2008 12:00 UTC.  

Thanks in advance for your consideration!

-Peter Koch [DNS WG co-chair]

-----------------------------------------------------------------------------

#
#	$Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $
#

The RIPE community thanks the NTIA for its consultation on proposals
to sign the root and is pleased to offer the following response to
that consultation. We urge the adoption of a solution that leads to
the prompt introduction of a signed root zone. Our community considers
the introduction of a signed root zone to be an essential enabling
step towards widespread deployment of Secure DNS, DNSSEC. This view
is supported by the letter from the RIPE community to ICANN as an
outcome of discussions at the May 2007 RIPE meeting in Tallinn:
http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf.

It is to be expected that a community as diverse as RIPE cannot have a
unified set of detailed answers to the NTIA questionnaire. However
several members of the RIPE community will be individually responding
to that questionnaire. We present the following statement as the
consensus view of our community about the principles that should form
the basis of the introduction of a signed DNS root.

1. Secure DNS, DNSSEC, is about data authenticity and integrity and
not about control.

2. The introduction of DNSSEC to the root zone must be made in such a
way that it is accepted as a global initiative.

3. Addition of DNSSEC to the root zone must be done in a way that does
not compromise the security and stability of the Domain Name System.

4. When balancing the various concerns about signing the root zone,
the approach must provide an appropriate level of trust and confidence
by offering an optimally secure solution.

5. Deployment of a signed root should be done in a timely but not
hasty manner.

6. Updates from TLD operators relating to DNSSEC should be aligned
with the operational mechanisms for co-ordinating changes to the root
zone.

7. If any procedural changes are introduced by the deployment of
DNSSEC they should provide sufficient flexibility to allow for the
roles and processes as well as the entities holding those roles to be
changed after suitable consultations have taken place.

8. Policies and processes for signing the root zone must be
transparent and trustworthy, making it straightforward for TLDs to
supply keys and credentials so the delegations for those TLDs can
benefit from a common DNSSEC trust anchor, the signed root.

9. There is no technical justification to create a new organisation to
oversee the process of signing of the root.

10. No data should be moved between organisations without appropriate
authenticity and integrity checking, particularly the flow of keying
material between a TLD operator and the entity that signs the root.

11. The public part of the key signing key must be distributed as
widely as possible.

12. The organisation that generates the root zone file must sign the
file and therefore hold the private part of the zone signing key.

13. Changes to the entities and roles in the signing process must not
necessarily require a change of keys.

-----------------------------------------------------------------------------