[Dnssec-deployment] Dropping IANA ITAR entries [was: KSK rollover in .cz]

David Conrad drc at virtualized.org
Wed Aug 4 16:09:43 EDT 2010


On Aug 4, 2010, at 7:16 AM, João Damas wrote:
> In fact, does the IANA get to check that the end result of the root generation process (including signing) has the changes that IANA requested to begin with? That is, does the requester get to check the zone before it gets published?

No. 

The current root management system could be considered flawed in the sense that the zone editor is also the zone signer and zone publisher.  This allows for an unauthorized change to be made (whether accidentally or infinitely less likely, maliciously) and published without any oversight (other than ex post facto reputational or possibly contractual penalties).  A trivial fix to this flaw would be to move the stealth master, e.g., make IANA (as the root zone change proposer) or NTIA (as the root zone change authorizer) be the zone publisher (not editor/signer) so that the changes requested (and only those changes) are indeed in the zone before the zone gets pushed out to the root servers.  (Ideally, the verifier would be the TLD admin making the request, but this is unlikely to work in a timely fashion and you really don't want to block publishing the root zone on a TLD admin in some far off corner of the world actually paying attention). 

Of course, the politics here are ... thick.  If IANA were to propose to undertake the the publisher role, people who think IANA (ICANN) should have no operational role and others would likely flip out. Having NTIA in that role would probably not be feasible either technically or politically. As such, another fix would be to have IANA or NTIA staff have final sign-off (e.g., via a web form or something) before the zone is published, but logistically I suspect this would actually be harder to implement.

In other words, don't expect change.

Regards,
-drc



More information about the Dnssec-deployment mailing list