Hello Everyone,
As many of you may know, one of the functions of the Internet Assigned Numbers
Authority (IANA) is the global coordination of the DNS Root Zone. One of the
core components to DNS is DNSSEC. The Root Key Signing Key (KSK) acts as the
trust anchor for DNSSEC for the Domain Name System, and this trust anchor is
configured in DNSSEC-aware resolvers to facilitate validation of DNS data. This
is how your DNS servers are able to cryptographically validate the authenticity
of DNS records they receive and serve. For more information pertaining to
DNSSEC, how it operates, the KSK and the relevant policies and procedures, I
recommend visiting https://www.iana.org/dnssec for more info.
In order to ensure the security of the KSK, IANA utilises Hardware Security
Modules (HSM) to generate the KSK pair of public and private keys, which in
turn are used to sign the Zone Signing Key (ZSK), that itself is used to sign
DNS records (RRsets) within a DNS zone. As it currently stands, both of these
HSMs currently reside in high-security Key Management Facilities (KMFs) in the
USA, with one facility located in Culpeper VA, and the other in El Segundo CA.
Now, while the locations of these HSMs are highly secure, both of them are
located on US soil. As most people who are familiar with redundancy, this is
not a good idea for a number of reasons (which I won't go into detail here as
it's outside the scope of this email). What we as a community MUST DO, is look
at the relocation of one of these HSMs to an alternate country such as
Singapore or Switzerland (regarded as two safe countries) to ensure the
continued integrity of the Root KSK.
Unfortunately, section 4.2(b) of the IANA Naming Function Contract
(https://pti.cdn.icann.org/resources/151/IANA_Naming_Function_Contract.pdf)
between the Internet Corporation for Assigned Names and Numbers (ICANN) and
Public Technical Identifiers (PTI) that govern how IANA performs its functions
prohibits the operation of functions outside of the US. Given that the Internet
is one of the most critical pieces of global (and not just US-based)
infrastructure, I feel that this section of the contract must be reviewed (and
deleted or modified to allow for PTI to perform the functions from Singapore,
Switzerland or another safe jurisdiction) to maintain the integrity of the
Domain Name System. The Second IANA Naming Function Review Team (IFRT2) have
released an initial draft report of its analysis, issues and recommendations
which also incorporates a review of the Contract between ICANN and PTI.
The IFRT2 have opened a public call for comments on the draft report, before
they submit their Final Report to ICANN's Board of Directors which they expect
to do before June this year. The Public Comment period closes for submissions
on 28 April 2025 at 23:59hrs UTC, and I strongly encourage everyone to read the
report and provide input regarding support to relocating one of the Key
Management Facilities across the Pacific or Atlantic Oceans. To view the report
and submit a comment, please go to
https://www.icann.org/en/public-comment/proceeding/second-iana-naming-function-review-team-ifr2-initial-report-20-03-2025/.
In order to submit a comment on the report, you will need an account on
https://account.icann.org/.
In closing, I cannot stress one thing enough - this is in no way speaks to the
professionalism of ICANN's staff. The team at ICANN perform some of the hardest
work out there, ensuring the integrity and stability of the Internet as we know
it today and for that they cannot be thanked enough. This recommendation to
move one of the KMFs overseas is simply to help protect it from potential
political instability, bias, and to encourage neutralism. We're already doing
it with the operation of the DNS Root Zone, let's take it one step further and
strengthen the security of DNSSEC and the Root KSK.
If you have any questions, please do feel free to ask, either on-list or
off-list.
Regards,
Christopher Hawker​
-----
To unsubscribe from this mailing list or change your subscription options,
please visit: https://mailman.ripe.net/mailman3/lists/ripe-list.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the
email matching your subscription before you can change your settings.
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
