> On 5 Oct 2018, at 3:52 pm, David Farmer <[email protected]> wrote: > > > On Thu, Oct 4, 2018 based on the > at 1:15 PM Bill Woodcock <[email protected]> wrote: > > On Oct 4, 2018, at 11:10 AM, John Curran <[email protected]> wrote: > > ARIN had been inconsistent in our approach to ... DNSSEC services over the > > years. > > There is no room for inconsistency in the application of security. > > You’re entirely missing Michael’s point. DNSSEC is not a _treat_ that you > dangle in front of universities, it’s an operational requirement for _the > whole Internet_, of which your paying members are constituents. You’re > denying _me_ the ability to use DNSSEC to validate addresses any time you > prevent anyone from registering a DS record. > > -Bill > > This is a complicated problem. DNSsec is about identity and is not merely a > technical protocol. It requires that trust is built and maintained between > the entities in the DNS tree, this trust is structured heretically so that > everyone doesn't have to maintain trust with everyone else. Through this > heretical structure, trust is built through validating and certifying the > parties involved and this trust is then legally enshrined in contracts > between the entities involved. The fact that the other parties in the tree > have contracted with the entity higher in the tree, in this case, ARIN, is > why you can trust them. Without those contracts, there is no way to enforce > consequences for misbehavior and the trust will eventually be broken. The > contracts are the basis for the trust needed by the system and without this > trust, there is no need for the DNSsec protocol.
If ARIN will update/add NS records then they should update/ns DS records. THERE IS ZERO DIFFERENCE IN THE TRUST REQUIRED. DNSSEC does not magically require that you need to do more diligence before making a change. If ARIN is willing to change NS records then whatever requirements they have to permit that change is ALL they should need to permit DS records to be changed. > ARIN has to have contracts with all entities participating in DNSSec and RPKI > through it for the schemes to work, even that may not be enough to for these > schemes to work, but without that there is no way for these schemes to work. > > The financial issues are completely separate from why contracts are > necessary. However, life sure is easier when everyone is paying their fair > share, but in this case, I don't think fair needs to be an equal share. > > Thanks. > -- > =============================================== > David Farmer Email:[email protected] > Networking & Telecommunication Services > Office of Information Technology > University of Minnesota > 2218 University Ave SE Phone: 612-626-0815 > Minneapolis, MN 55414-3029 Cell: 612-812-9952 > =============================================== > _______________________________________________ > ARIN-PPML > You are receiving this message because you are subscribed to > the ARIN Public Policy Mailing List ([email protected]). > Unsubscribe or manage your mailing list subscription at: > https://lists.arin.net/mailman/listinfo/arin-ppml > Please contact [email protected] if you experience any issues. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
