On Wed, 2025-02-26 at 23:50 +0000, David Conrad wrote: > Tyler, > > I’ve been reluctant to comment on this thread, but I’m increasingly > confused... > > On Feb 26, 2025, at 2:47 PM, Tyler O'Meara via ARIN-PPML <[email protected]> > wrote: > > We should clarify that only the actual authoritative DNS servers qualify as > > CII; > > So, the load balancers, routers, switches, etc., that connect those servers > don’t count? The remote database backends the authoritative servers depend on? > The other backend and administrative systems, etc.? > > > as such I propose we use the following language: > > CII includes Internet Exchanges, IANA authorized authoritative Root DNS > > servers, > > TLD authoritative DNS servers, and critical services operated by ARIN and > > IANA. > > > Presumably we don't consider whatever vendor Verisign uses for their > > corporate > > email to be CII, for example. > > Implicit in that statement (at least as I intended it) was to include anything critical to the operation of the authoritative DNS servers. I'll note that the current 4.4 text only allocates a /23 per gTLD, which suggests to me that the authors of the current 4.4 intended those addresses to be used for the publicly facing addresses of the authoritative DNS servers.
My proposed changes were meant to accomplish 2 things: 1) Acknowledge that many organizations that run CII also run/do non-CII things, and that 4.4 space (in my opinion) should only be able to be used for the CII things. 2) Acknowledge that many organizations that run CII have a great many service providers for any host of non-CII purposes (I used the example of corporate email in my prior email), and I likewise don't think that those service providers should be able to use 4.4 space just because Verisign (or any other CII operator) is their client. For example, RIPE runs K-root, and to the extent they need IPv4 addresses in order to run K-root in ARIN's service region, section 4.4 should (and does) permit that. However, just because RIPE does one thing that qualifies as CII does not mean that everything else they do should also qualify as CII; which a literal reading of the proposed wording could suggest. That's all I'm trying to protect against. Admittedly, this is also a failing of the current 4.4 wording; but since we're rewriting anyways I'd like to close that loophole if possible. > > But you do consider the corporate email of ARIN and PTI/ICANN (which provides > IANA services) CII? > I'll note that I also amended the proposed text to say "critical services operated by ARIN and IANA", leaving the judgement of what is a critical service to ARIN staff, but implicitly acknowledging that there may be some things ARIN/IANA do that are not critical to the functioning of the Internet. > The definition of “CII” used here appears to be arbitrary. Perhaps it might > help if you define what you think is CII and why ARIN and ICANN/PTI would fall > under that definition whereas Verisign wouldn’t? > I've never asserted that Verisign doesn't operate CII; in fact I've supported broadening the current 4.4 definition to cover more of Verisign's activities (which this draft policy does). All I'm trying to accomplish to match the letter of the law (which currently states that any organization that runs CII can use 4.4 for any purpose) with the spirit of the law (that organizations that run CII can use 4.4 to run CII, but not for other purposes). > Regards, > -drc > _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
