Dear colleagues,
In this message we would like to raise a number of issues we have
identified with the proposal to establish a " DNSSEC Lookaside
Validation (DLV) IANA Registry" (draft-weiler-dnssec-dlv-iana-00).
* Domains under .arpa
The document requests the establishment of a sub-domain of .arpa that
is to be used as the "anchor" for the domain-name-tree that can be
used with the DLV algorithm described in draft-weiler-dnssec-dlv-03.
The IAB has specific responsibilities with respect to the
establishment of domains under the .arpa domain [RFC3172]. It is
based on that responsibility that we write this last-call comment.
RFC3172 specifically calls for a description of the delegation, and
the hierarchical name structure in an IETF standards track document.
We observe this document does not give the crisp and clear
instructions that are needed to maintain the zone. IANA would need
very precise instructions on how and when it needs to add data to the
DLV infrastructure. That the document requests a dnssec.arpa domain
is a detail that should not be overlooked.
In addition, we believe that the reason that RFC3172 requires a
standards track document is that a domain under .arpa is only to be
delegated if there is a use for long term infrastructure needs.
Arguably DLV is a transition mechanism.
* Service costs and competition.
This document is requesting IANA to establish a service that could be
costly to implement. It can be argued that the operational costs
involved with the maintenance and publication of this registry are
significantly higher than for other registries that IANA maintains
for the IETF.
Even though IANA is currently providing their services with respect
to registration of technical parameters for free we should work from
the assumption that at one time we, the IETF/IAOC, might have to pay
for the maintenance of the technical parameter registries.
Although IANA is in a unique position that it has an established
relation with the TLD operators and the number registries for the
domains under in-addr.arpa, it is not the only party that could offer
this service. The DLV protocol allows multiple parties to start a DLV
registry at arbitrary locations in the namespace. In fact, one might
expect a competitive market of DLV registries. Given that we think
that there are no strong technical arguments for a unique domain
under the .arpa domain, we observe that the establishment of a dlv
domain under .arpa needs further thought with respect to how the IAB/
IETF would influence the above mentioned market.
* Relation IANA and IETF.
The relation between IANA and the IETF are covered through an MOU
[RFC2860]. The guiding document for the establishment of .arpa
[RFC3172] specifically mentions the delegation of new domains
under .arpa being done as part of that MOU.
Section 4.3 is relevant to the issue we want to raise here
4.3. Two particular assigned spaces present policy issues in addition
to the technical considerations specified by the IETF: the
assignment
of domain names, and the assignment of IP address blocks. These
policy issues are outside the scope of this MOU.
The establishment of the DLV registry bootstraps on relations that
IANA maintains with the TLDs on the basis of the maintenance of a
space that is specifically outside the scope of the MOU between the
IETF and IANA. We feel that by stepping over this boundary we would
also get involved in some of the policy issues regarding the
"forward" name space. That there are policy issues with getting the
root signed is duly known. So if the IETF were to establish this DLV
registry in .arpa, than that might be seen as an attempt to outrun
the policy making process. We therefore feel that the IETF should be
extremely careful in making a request of this sort.
* Conclusion
The IAB, obviously, favors expedient deployment of DNSSEC in the DNS
root.
In absence of such we understand that mechanisms such as DLV or the
publication of lists with TLD trust anchors could aid deployment.
However, the IAB does not support the establishment of a domain
under .arpa combined with a request from the IETF to IANA to
establish such a service as that would implicitly be based on the MOU
between RFC3172. However,
- if there is IETF wide consensus on a proposal to establish
a .arpa zone;
- if such proposal would deal with the 'competition' issues
mentioned above;
- if such proposal should contain much more detail on how to
establish and maintain authentic DLV entries;
- and if said proposal describes the other requirements for such
registry such as key management;
then given such IETF consensus the IAB will explore how such registry
can be established without violating the MOU.
On behalf of the IAB,
--Olaf Kolkman
PGP.sig
Description: This is a digitally signed message part
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf