On 10/4/18 11:08 PM, Mark Andrews wrote:
This is a complicated problem. DNSsec is about identity and is not merely a
technical protocol. It requires that trust is built and maintained between the
entities in the DNS tree, this trust is structured heretically so that everyone
doesn't have to maintain trust with everyone else. Through this heretical
structure, trust is built through validating and certifying the parties
involved and this trust is then legally enshrined in contracts between the
entities involved. The fact that the other parties in the tree have contracted
with the entity higher in the tree, in this case, ARIN, is why you can trust
them. Without those contracts, there is no way to enforce consequences for
misbehavior and the trust will eventually be broken. The contracts are the
basis for the trust needed by the system and without this trust, there is no
need for the DNSsec protocol.
If ARIN will update/add NS records then they should update/ns DS records.
THERE IS ZERO DIFFERENCE IN THE TRUST REQUIRED. DNSSEC does not magically
require that you need
to do more diligence before making a change. If ARIN is willing to change NS
records then
whatever requirements they have to permit that change is ALL they should need
to permit DS
records to be changed.
ARIN has to have contracts with all entities participating in DNSSec and RPKI
through it for the schemes to work, even that may not be enough to for these
schemes to work, but without that there is no way for these schemes to work.
The financial issues are completely separate from why contracts are necessary.
However, life sure is easier when everyone is paying their fair share, but in
this case, I don't think fair needs to be an equal share.
Thanks all for the responses. I appreciate the clarifications and other
statements.
I tend to side with Mark A. on this point. I don't think that DNSSEC is
or should be a signaling protocol for me to determine whether an entity
has a contractual relationship with ARIN as opposed to an "implied
trust" relationship. And I further agree with Mark that the presence of
delegation NS records is a substantial statement of implied trust that
does not materially change with DNSSEC--the latter simply provides a way
of technically verifying the integrity of an existing implied trust.
That said, I am interested in hearing from David F. or John C. as to
what kinds of background research is initiated when a (L)RSA is
initiated. (Sorry, I arrived at $current_employer only as the execution
of the contracts was being completed.) I know that there's a process
for when a specified transfer occurs, and that process *includes* a
(L)RSA, but does the (L)RSA trigger the background/history check or is
it the other way around?
Regarding fees, in the few (3 or so) cases I have seen, covering the
desired resources under (L)RSA doesn't materially change the fees for
the organization, so it's more an issue of potential legal encumbrances
rather than desire for "free" services. But I realize that's not always
the case--different organizations may have different reasons for signing
or not.
thanks,
michael
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List ([email protected]).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact [email protected] if you experience any issues.
