I think it is a very worthwhile and necessary effort. But the security considerations are woefully insufficient.
What has never been fully appreciate is that while the root zone is the apex of the naming hierarchy. The .arpa zone is potentially the apex of the trust hierarchy. Separating the two concerns is a very useful and worthwhile 'separation of duties' control. Besides the security benefits, a system in which there are two roots makes for much more convincing answers to questions of root rollover. We should do it right because the .ARPA zone is evolving into the trust root of the legacy telephone system. It is also likely to be the delegation point for any new naming system. The concentration of risk in the root '.' has always been a weakness in the DNS design. This change provides an opportunity to address some of that. While the Internet is robust against information attacks, almost none of the facilities are designed to withstand physical attacks. the best defense is to make a physical attack pointless. What this means in practice is that as with the DNS apex root servers, the .ARPA root servers need to have stable, static IP addresses that change infrequently with long notice times. The zones should be signed using appropriate ceremonies. I am of course aware of the cost of PKI ceremonies. I taught the VeriSign ceremony course. I am thinking of separating the ceremonies as a longer term goal and there is technology developed since we wrote the VeriSign ceremonies that allows the cost to be greatly reduced. One way sequence technology and threshold signatures mean that it is no longer necessary for key ceremony key holders to meet in the same physical location. Nobody is going to let us try out new technology on the root zone. But we can probably get away with that for .arpa and then transition the dot to that approach. So what I would suggest is: 1) Separate the hosts for .ARPA from the root zone hosts. 2) Create a separate set of HSMs for .ARPA but administer them within the ICANN root ceremony 3) Transition ARPA to next generation technology which avoids the need to meet to perform ceremonies in person. On Fri, Aug 7, 2020 at 12:49 PM Kim Davies <[email protected]> wrote: > Folks, > > > > I wanted to draw attention to an Internet-Draft under development that > seeks to remove the unique interdependency that the .arpa zone has with the > root zone, by virtue of the zone being served by the root servers: > > > > > https://www.ietf.org/id/draft-iana-arpa-authoritative-servers-01.txt > > > > We are looking for additional review of the proposed changes before taking > further steps. > > > > kim > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
