Call for Support: RIPE response to the US NTIA's NoI
Dear RIPE Community, as mentioned in my email sent on Monday, the DNS working group has come up with a response to the US NTIA's Notice of Inquiry (NoI) regarding the introduction of DNSSEC for the DNS root zone (for details see <http://www.ntia.doc.gov/DNS/DNSSEC.html>). The text below reflects the consensus of the DNS working group. As a follow up to our earlier efforts (see below), the DNS WG suggests that the response to the NTIA come from the broader RIPE community. So, this is the DNS WG's request for your support and endorsement of the proposal. Please read the text and voice your support or opposition. As mentioned earlier, we will have to meet an external deadline. Therefore, we are not looking for editorial suggestions. Regrettably, it is impractical to further refine or reword the text, since that would require more editing cycles and new consensus calls, which time won't permit. The WG chairs' collective and the RIPE Chair have agreed that it needs a binary decision on the proposal as presented here. It is possible that the text doesn't represent the optimum for everyone. Still, please consider whether you can support it as a community statement. In any case, the NoI is open for anybody, so you might want to send your individual response and/or contribute to other group efforts, as well. Clarifying questions are welcome, probably best asked on the DNS WG mailing list or to the DNS WG co-chairs <http://www.ripe.net/ripe/wg/dns/index.html>. Given the 24 Nov deadline and to allow some time for the evalutaion of the list traffic, you are kindly asked to send your explicit statements to this list no later than Friday, 21 Nov 2008 12:00 UTC. Thanks in advance for your consideration! -Peter Koch [DNS WG co-chair] ----------------------------------------------------------------------------- # # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $ # The RIPE community thanks the NTIA for its consultation on proposals to sign the root and is pleased to offer the following response to that consultation. We urge the adoption of a solution that leads to the prompt introduction of a signed root zone. Our community considers the introduction of a signed root zone to be an essential enabling step towards widespread deployment of Secure DNS, DNSSEC. This view is supported by the letter from the RIPE community to ICANN as an outcome of discussions at the May 2007 RIPE meeting in Tallinn: http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf. It is to be expected that a community as diverse as RIPE cannot have a unified set of detailed answers to the NTIA questionnaire. However several members of the RIPE community will be individually responding to that questionnaire. We present the following statement as the consensus view of our community about the principles that should form the basis of the introduction of a signed DNS root. 1. Secure DNS, DNSSEC, is about data authenticity and integrity and not about control. 2. The introduction of DNSSEC to the root zone must be made in such a way that it is accepted as a global initiative. 3. Addition of DNSSEC to the root zone must be done in a way that does not compromise the security and stability of the Domain Name System. 4. When balancing the various concerns about signing the root zone, the approach must provide an appropriate level of trust and confidence by offering an optimally secure solution. 5. Deployment of a signed root should be done in a timely but not hasty manner. 6. Updates from TLD operators relating to DNSSEC should be aligned with the operational mechanisms for co-ordinating changes to the root zone. 7. If any procedural changes are introduced by the deployment of DNSSEC they should provide sufficient flexibility to allow for the roles and processes as well as the entities holding those roles to be changed after suitable consultations have taken place. 8. Policies and processes for signing the root zone must be transparent and trustworthy, making it straightforward for TLDs to supply keys and credentials so the delegations for those TLDs can benefit from a common DNSSEC trust anchor, the signed root. 9. There is no technical justification to create a new organisation to oversee the process of signing of the root. 10. No data should be moved between organisations without appropriate authenticity and integrity checking, particularly the flow of keying material between a TLD operator and the entity that signs the root. 11. The public part of the key signing key must be distributed as widely as possible. 12. The organisation that generates the root zone file must sign the file and therefore hold the private part of the zone signing key. 13. Changes to the entities and roles in the signing process must not necessarily require a change of keys. -----------------------------------------------------------------------------
Peter, I fully endorse the proposed RIPE response to the US NTIA's NoI. Furthermore, my great thanks to the editorial team who did a tremendous job !!! Rob
Peter, On Fri, Nov 14, 2008 at 11:59:09PM +0100, Peter Koch wrote:
as mentioned in my email sent on Monday, the DNS working group has come up with a response to the US NTIA's Notice of Inquiry (NoI) regarding the introduction of DNSSEC for the DNS root zone (for details see <http://www.ntia.doc.gov/DNS/DNSSEC.html>).
The text below reflects the consensus of the DNS working group.
As a follow up to our earlier efforts (see below), the DNS WG suggests that the response to the NTIA come from the broader RIPE community. So, this is the DNS WG's request for your support and endorsement of the proposal.
Please read the text and voice your support or opposition.
I support the text. Thanks for all the work that you and the authors put into this. David Kessens ---
I fully support the response text below Joao Damas On 14 Nov 2008, at 16:59, Peter Koch wrote:
Dear RIPE Community,
as mentioned in my email sent on Monday, the DNS working group has come up with a response to the US NTIA's Notice of Inquiry (NoI) regarding the introduction of DNSSEC for the DNS root zone (for details see <http://www.ntia.doc.gov/DNS/DNSSEC.html>).
The text below reflects the consensus of the DNS working group.
As a follow up to our earlier efforts (see below), the DNS WG suggests that the response to the NTIA come from the broader RIPE community. So, this is the DNS WG's request for your support and endorsement of the proposal.
Please read the text and voice your support or opposition. As mentioned earlier, we will have to meet an external deadline. Therefore, we are not looking for editorial suggestions. Regrettably, it is impractical to further refine or reword the text, since that would require more editing cycles and new consensus calls, which time won't permit. The WG chairs' collective and the RIPE Chair have agreed that it needs a binary decision on the proposal as presented here.
It is possible that the text doesn't represent the optimum for everyone. Still, please consider whether you can support it as a community statement. In any case, the NoI is open for anybody, so you might want to send your individual response and/or contribute to other group efforts, as well.
Clarifying questions are welcome, probably best asked on the DNS WG mailing list or to the DNS WG co-chairs <http://www.ripe.net/ripe/wg/dns/index.html
.
Given the 24 Nov deadline and to allow some time for the evalutaion of the list traffic, you are kindly asked to send your explicit statements to this list no later than
Friday, 21 Nov 2008 12:00 UTC.
Thanks in advance for your consideration!
-Peter Koch [DNS WG co-chair]
-----------------------------------------------------------------------------
# # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $ #
The RIPE community thanks the NTIA for its consultation on proposals to sign the root and is pleased to offer the following response to that consultation. We urge the adoption of a solution that leads to the prompt introduction of a signed root zone. Our community considers the introduction of a signed root zone to be an essential enabling step towards widespread deployment of Secure DNS, DNSSEC. This view is supported by the letter from the RIPE community to ICANN as an outcome of discussions at the May 2007 RIPE meeting in Tallinn: http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf.
It is to be expected that a community as diverse as RIPE cannot have a unified set of detailed answers to the NTIA questionnaire. However several members of the RIPE community will be individually responding to that questionnaire. We present the following statement as the consensus view of our community about the principles that should form the basis of the introduction of a signed DNS root.
1. Secure DNS, DNSSEC, is about data authenticity and integrity and not about control.
2. The introduction of DNSSEC to the root zone must be made in such a way that it is accepted as a global initiative.
3. Addition of DNSSEC to the root zone must be done in a way that does not compromise the security and stability of the Domain Name System.
4. When balancing the various concerns about signing the root zone, the approach must provide an appropriate level of trust and confidence by offering an optimally secure solution.
5. Deployment of a signed root should be done in a timely but not hasty manner.
6. Updates from TLD operators relating to DNSSEC should be aligned with the operational mechanisms for co-ordinating changes to the root zone.
7. If any procedural changes are introduced by the deployment of DNSSEC they should provide sufficient flexibility to allow for the roles and processes as well as the entities holding those roles to be changed after suitable consultations have taken place.
8. Policies and processes for signing the root zone must be transparent and trustworthy, making it straightforward for TLDs to supply keys and credentials so the delegations for those TLDs can benefit from a common DNSSEC trust anchor, the signed root.
9. There is no technical justification to create a new organisation to oversee the process of signing of the root.
10. No data should be moved between organisations without appropriate authenticity and integrity checking, particularly the flow of keying material between a TLD operator and the entity that signs the root.
11. The public part of the key signing key must be distributed as widely as possible.
12. The organisation that generates the root zone file must sign the file and therefore hold the private part of the zone signing key.
13. Changes to the entities and roles in the signing process must not necessarily require a change of keys.
-----------------------------------------------------------------------------
Hello Peter,
As a follow up to our earlier efforts (see below), the DNS WG suggests that the response to the NTIA come from the broader RIPE community. So, this is the DNS WG's request for your support and endorsement of the proposal.
I fully support this text:
# # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $ #
The RIPE community thanks the NTIA for its consultation on proposals to sign the root and is pleased to offer the following response to that consultation. We urge the adoption of a solution that leads to the prompt introduction of a signed root zone. Our community considers the introduction of a signed root zone to be an essential enabling step towards widespread deployment of Secure DNS, DNSSEC. This view is supported by the letter from the RIPE community to ICANN as an outcome of discussions at the May 2007 RIPE meeting in Tallinn: http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf.
It is to be expected that a community as diverse as RIPE cannot have a unified set of detailed answers to the NTIA questionnaire. However several members of the RIPE community will be individually responding to that questionnaire. We present the following statement as the consensus view of our community about the principles that should form the basis of the introduction of a signed DNS root.
1. Secure DNS, DNSSEC, is about data authenticity and integrity and not about control.
2. The introduction of DNSSEC to the root zone must be made in such a way that it is accepted as a global initiative.
3. Addition of DNSSEC to the root zone must be done in a way that does not compromise the security and stability of the Domain Name System.
4. When balancing the various concerns about signing the root zone, the approach must provide an appropriate level of trust and confidence by offering an optimally secure solution.
5. Deployment of a signed root should be done in a timely but not hasty manner.
6. Updates from TLD operators relating to DNSSEC should be aligned with the operational mechanisms for co-ordinating changes to the root zone.
7. If any procedural changes are introduced by the deployment of DNSSEC they should provide sufficient flexibility to allow for the roles and processes as well as the entities holding those roles to be changed after suitable consultations have taken place.
8. Policies and processes for signing the root zone must be transparent and trustworthy, making it straightforward for TLDs to supply keys and credentials so the delegations for those TLDs can benefit from a common DNSSEC trust anchor, the signed root.
9. There is no technical justification to create a new organisation to oversee the process of signing of the root.
10. No data should be moved between organisations without appropriate authenticity and integrity checking, particularly the flow of keying material between a TLD operator and the entity that signs the root.
11. The public part of the key signing key must be distributed as widely as possible.
12. The organisation that generates the root zone file must sign the file and therefore hold the private part of the zone signing key.
13. Changes to the entities and roles in the signing process must not necessarily require a change of keys.
-----------------------------------------------------------------------------
- Sander
I support this text (v 1.9) as well. Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310 PO Box 5022 6802 EA Arnhem The Netherlands T +31 26 3525500 F +31 26 3525505 M +31 6 23368970 E antoin.verschuren@sidn.nl W http://www.sidn.nl/
-----Original Message-----
# # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $ #
The RIPE community thanks the NTIA for its consultation on proposals to sign the root and is pleased to offer the following response to that consultation. We urge the adoption of a solution that leads to the prompt introduction of a signed root zone. Our community considers the introduction of a signed root zone to be an essential enabling step towards widespread deployment of Secure DNS, DNSSEC. This view is supported by the letter from the RIPE community to ICANN as an outcome of discussions at the May 2007 RIPE meeting in Tallinn: http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf.
It is to be expected that a community as diverse as RIPE cannot have a unified set of detailed answers to the NTIA questionnaire. However several members of the RIPE community will be individually responding to that questionnaire. We present the following statement as the consensus view of our community about the principles that should form the basis of the introduction of a signed DNS root.
1. Secure DNS, DNSSEC, is about data authenticity and integrity and not about control.
2. The introduction of DNSSEC to the root zone must be made in such a way that it is accepted as a global initiative.
3. Addition of DNSSEC to the root zone must be done in a way that does not compromise the security and stability of the Domain Name System.
4. When balancing the various concerns about signing the root zone, the approach must provide an appropriate level of trust and confidence by offering an optimally secure solution.
5. Deployment of a signed root should be done in a timely but not hasty manner.
6. Updates from TLD operators relating to DNSSEC should be aligned with the operational mechanisms for co-ordinating changes to the root zone.
7. If any procedural changes are introduced by the deployment of DNSSEC they should provide sufficient flexibility to allow for the roles and processes as well as the entities holding those roles to be changed after suitable consultations have taken place.
8. Policies and processes for signing the root zone must be transparent and trustworthy, making it straightforward for TLDs to supply keys and credentials so the delegations for those TLDs can benefit from a common DNSSEC trust anchor, the signed root.
9. There is no technical justification to create a new organisation to oversee the process of signing of the root.
10. No data should be moved between organisations without appropriate authenticity and integrity checking, particularly the flow of keying material between a TLD operator and the entity that signs the root.
11. The public part of the key signing key must be distributed as widely as possible.
12. The organisation that generates the root zone file must sign the file and therefore hold the private part of the zone signing key.
13. Changes to the entities and roles in the signing process must not necessarily require a change of keys.
I, as a DNS professional, support this statement. Robert Martin-Legène Peter Koch wrote:
-----------------------------------------------------------------------------
# # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $ #
The RIPE community thanks the NTIA for its consultation on proposals to sign the root and is pleased to offer the following response to that consultation. We urge the adoption of a solution that leads to the prompt introduction of a signed root zone. Our community considers the introduction of a signed root zone to be an essential enabling step towards widespread deployment of Secure DNS, DNSSEC. This view is supported by the letter from the RIPE community to ICANN as an outcome of discussions at the May 2007 RIPE meeting in Tallinn: http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf.
It is to be expected that a community as diverse as RIPE cannot have a unified set of detailed answers to the NTIA questionnaire. However several members of the RIPE community will be individually responding to that questionnaire. We present the following statement as the consensus view of our community about the principles that should form the basis of the introduction of a signed DNS root.
1. Secure DNS, DNSSEC, is about data authenticity and integrity and not about control.
2. The introduction of DNSSEC to the root zone must be made in such a way that it is accepted as a global initiative.
3. Addition of DNSSEC to the root zone must be done in a way that does not compromise the security and stability of the Domain Name System.
4. When balancing the various concerns about signing the root zone, the approach must provide an appropriate level of trust and confidence by offering an optimally secure solution.
5. Deployment of a signed root should be done in a timely but not hasty manner.
6. Updates from TLD operators relating to DNSSEC should be aligned with the operational mechanisms for co-ordinating changes to the root zone.
7. If any procedural changes are introduced by the deployment of DNSSEC they should provide sufficient flexibility to allow for the roles and processes as well as the entities holding those roles to be changed after suitable consultations have taken place.
8. Policies and processes for signing the root zone must be transparent and trustworthy, making it straightforward for TLDs to supply keys and credentials so the delegations for those TLDs can benefit from a common DNSSEC trust anchor, the signed root.
9. There is no technical justification to create a new organisation to oversee the process of signing of the root.
10. No data should be moved between organisations without appropriate authenticity and integrity checking, particularly the flow of keying material between a TLD operator and the entity that signs the root.
11. The public part of the key signing key must be distributed as widely as possible.
12. The organisation that generates the root zone file must sign the file and therefore hold the private part of the zone signing key.
13. Changes to the entities and roles in the signing process must not necessarily require a change of keys.
-----------------------------------------------------------------------------
On Fri, 2008-11-14 at 23:59 +0100, Peter Koch wrote:
# $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $
I'm happy to support this version of the text, and to say "Well done" to the team who did the work. Niall O'Reilly University College Dublin IT Services
I fully support the v1.9 text as a reply to the NTIA NoI! Best regards, /Liman #---------------------------------------------------------------------- # Lars-Johan Liman, M.Sc. ! E-mail/SIP/Jabber: liman@autonomica.se # Senior Systems Specialist ! Tel: +46 8 - 562 860 12 # Autonomica AB, Stockholm ! http://www.autonomica.se/ #----------------------------------------------------------------------
# # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $ #
The RIPE community thanks the NTIA for its consultation on proposals to sign the root and is pleased to offer the following response to that consultation. We urge the adoption of a solution that leads to the prompt introduction of a signed root zone. Our community considers the introduction of a signed root zone to be an essential enabling step towards widespread deployment of Secure DNS, DNSSEC. This view is supported by the letter from the RIPE community to ICANN as an outcome of discussions at the May 2007 RIPE meeting in Tallinn: http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf.
It is to be expected that a community as diverse as RIPE cannot have a unified set of detailed answers to the NTIA questionnaire. However several members of the RIPE community will be individually responding to that questionnaire. We present the following statement as the consensus view of our community about the principles that should form the basis of the introduction of a signed DNS root.
1. Secure DNS, DNSSEC, is about data authenticity and integrity and not about control.
2. The introduction of DNSSEC to the root zone must be made in such a way that it is accepted as a global initiative.
3. Addition of DNSSEC to the root zone must be done in a way that does not compromise the security and stability of the Domain Name System.
4. When balancing the various concerns about signing the root zone, the approach must provide an appropriate level of trust and confidence by offering an optimally secure solution.
5. Deployment of a signed root should be done in a timely but not hasty manner.
6. Updates from TLD operators relating to DNSSEC should be aligned with the operational mechanisms for co-ordinating changes to the root zone.
7. If any procedural changes are introduced by the deployment of DNSSEC they should provide sufficient flexibility to allow for the roles and processes as well as the entities holding those roles to be changed after suitable consultations have taken place.
8. Policies and processes for signing the root zone must be transparent and trustworthy, making it straightforward for TLDs to supply keys and credentials so the delegations for those TLDs can benefit from a common DNSSEC trust anchor, the signed root.
9. There is no technical justification to create a new organisation to oversee the process of signing of the root.
10. No data should be moved between organisations without appropriate authenticity and integrity checking, particularly the flow of keying material between a TLD operator and the entity that signs the root.
11. The public part of the key signing key must be distributed as widely as possible.
12. The organisation that generates the root zone file must sign the file and therefore hold the private part of the zone signing key.
13. Changes to the entities and roles in the signing process must not necessarily require a change of keys.
-----------------------------------------------------------------------------
Disclaimer: I was one of the persons working on the text. That said, I still want to explicitly say that I fully support the final outcome of the work done in the DNS wg. Patrik On 14 nov 2008, at 16.59, Peter Koch wrote:
Dear RIPE Community,
as mentioned in my email sent on Monday, the DNS working group has come up with a response to the US NTIA's Notice of Inquiry (NoI) regarding the introduction of DNSSEC for the DNS root zone (for details see <http://www.ntia.doc.gov/DNS/DNSSEC.html>).
The text below reflects the consensus of the DNS working group.
As a follow up to our earlier efforts (see below), the DNS WG suggests that the response to the NTIA come from the broader RIPE community. So, this is the DNS WG's request for your support and endorsement of the proposal.
Please read the text and voice your support or opposition. As mentioned earlier, we will have to meet an external deadline. Therefore, we are not looking for editorial suggestions. Regrettably, it is impractical to further refine or reword the text, since that would require more editing cycles and new consensus calls, which time won't permit. The WG chairs' collective and the RIPE Chair have agreed that it needs a binary decision on the proposal as presented here.
It is possible that the text doesn't represent the optimum for everyone. Still, please consider whether you can support it as a community statement. In any case, the NoI is open for anybody, so you might want to send your individual response and/or contribute to other group efforts, as well.
Clarifying questions are welcome, probably best asked on the DNS WG mailing list or to the DNS WG co-chairs <http://www.ripe.net/ripe/wg/dns/index.html
.
Given the 24 Nov deadline and to allow some time for the evalutaion of the list traffic, you are kindly asked to send your explicit statements to this list no later than
Friday, 21 Nov 2008 12:00 UTC.
Thanks in advance for your consideration!
-Peter Koch [DNS WG co-chair]
-----------------------------------------------------------------------------
# # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $ #
The RIPE community thanks the NTIA for its consultation on proposals to sign the root and is pleased to offer the following response to that consultation. We urge the adoption of a solution that leads to the prompt introduction of a signed root zone. Our community considers the introduction of a signed root zone to be an essential enabling step towards widespread deployment of Secure DNS, DNSSEC. This view is supported by the letter from the RIPE community to ICANN as an outcome of discussions at the May 2007 RIPE meeting in Tallinn: http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf.
It is to be expected that a community as diverse as RIPE cannot have a unified set of detailed answers to the NTIA questionnaire. However several members of the RIPE community will be individually responding to that questionnaire. We present the following statement as the consensus view of our community about the principles that should form the basis of the introduction of a signed DNS root.
1. Secure DNS, DNSSEC, is about data authenticity and integrity and not about control.
2. The introduction of DNSSEC to the root zone must be made in such a way that it is accepted as a global initiative.
3. Addition of DNSSEC to the root zone must be done in a way that does not compromise the security and stability of the Domain Name System.
4. When balancing the various concerns about signing the root zone, the approach must provide an appropriate level of trust and confidence by offering an optimally secure solution.
5. Deployment of a signed root should be done in a timely but not hasty manner.
6. Updates from TLD operators relating to DNSSEC should be aligned with the operational mechanisms for co-ordinating changes to the root zone.
7. If any procedural changes are introduced by the deployment of DNSSEC they should provide sufficient flexibility to allow for the roles and processes as well as the entities holding those roles to be changed after suitable consultations have taken place.
8. Policies and processes for signing the root zone must be transparent and trustworthy, making it straightforward for TLDs to supply keys and credentials so the delegations for those TLDs can benefit from a common DNSSEC trust anchor, the signed root.
9. There is no technical justification to create a new organisation to oversee the process of signing of the root.
10. No data should be moved between organisations without appropriate authenticity and integrity checking, particularly the flow of keying material between a TLD operator and the entity that signs the root.
11. The public part of the key signing key must be distributed as widely as possible.
12. The organisation that generates the root zone file must sign the file and therefore hold the private part of the zone signing key.
13. Changes to the entities and roles in the signing process must not necessarily require a change of keys.
-----------------------------------------------------------------------------
# $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $
I fully support the text, and like to thank the editors for their work. Gilles Massen .lu -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473
I support this response and extend thanks to those who have spent the time to construct it. Nigel Titley
--On 14 November 2008 23:59 +0100 Peter Koch <pk@DENIC.DE> wrote:
# # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $ #
The RIPE community thanks the NTIA for its consultation on proposals to sign the root and is pleased to offer the following response to that consultation. We urge the adoption of a solution that leads to the prompt introduction of a signed root zone.
I support version 1.9 of the RIPE response to the NTIA. Good work. Mike -- Mike Hughes Chief Technical Officer London Internet Exchange Ltd. mike@linx.net http://www.linx.net/ Registered in England 3137929 at 3 Park Road, Peterborough, PE1 2UX
Peter On 14 Nov 2008, at 22:59, Peter Koch wrote:
# # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $ #
I support this document and support it being presented on behalf of the RIPE Community. Thanks to all who worked on it. Regards Fearghas
Hi, On Fri, 14 Nov 2008, Peter Koch wrote:
# $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $
I also support this response. Fergal. -- Fergal Suipeil, Systems Programmer, IT Services, University College Dublin, Ireland.
Peter, ru.rtcomm support this response. Best regards, ____________________________ Ruslan Salikhov RTComm.RU e-mail: r.salikhov@rtcomm.ru e-mail: rus@rtcomm.ru
# # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $ #
The RIPE community thanks the NTIA for its consultation on proposals to sign the root and is pleased to offer the following response to that consultation. We urge the adoption of a solution that leads to the prompt introduction of a signed root zone. Our community considers the introduction of a signed root zone to be an essential enabling step towards widespread deployment of Secure DNS, DNSSEC. This view is supported by the letter from the RIPE community to ICANN as an outcome of discussions at the May 2007 RIPE meeting in Tallinn: http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf.
It is to be expected that a community as diverse as RIPE cannot have a unified set of detailed answers to the NTIA questionnaire. However several members of the RIPE community will be individually responding to that questionnaire. We present the following statement as the consensus view of our community about the principles that should form the basis of the introduction of a signed DNS root.
1. Secure DNS, DNSSEC, is about data authenticity and integrity and not about control.
2. The introduction of DNSSEC to the root zone must be made in such a way that it is accepted as a global initiative.
3. Addition of DNSSEC to the root zone must be done in a way that does not compromise the security and stability of the Domain Name System.
4. When balancing the various concerns about signing the root zone, the approach must provide an appropriate level of trust and confidence by offering an optimally secure solution.
5. Deployment of a signed root should be done in a timely but not hasty manner.
6. Updates from TLD operators relating to DNSSEC should be aligned with the operational mechanisms for co-ordinating changes to the root zone.
7. If any procedural changes are introduced by the deployment of DNSSEC they should provide sufficient flexibility to allow for the roles and processes as well as the entities holding those roles to be changed after suitable consultations have taken place.
8. Policies and processes for signing the root zone must be transparent and trustworthy, making it straightforward for TLDs to supply keys and credentials so the delegations for those TLDs can benefit from a common DNSSEC trust anchor, the signed root.
9. There is no technical justification to create a new organisation to oversee the process of signing of the root.
10. No data should be moved between organisations without appropriate authenticity and integrity checking, particularly the flow of keying material between a TLD operator and the entity that signs the root.
11. The public part of the key signing key must be distributed as widely as possible.
12. The organisation that generates the root zone file must sign the file and therefore hold the private part of the zone signing key.
13. Changes to the entities and roles in the signing process must not necessarily require a change of keys.
-----------------------------------------------------------------------------
LIR Adamo Europe Supports this response. Best regards. --Dennis Lundström Adamo Europe S.L On Nov 14, 2008, at 11:59 PM, Peter Koch wrote:
Dear RIPE Community,
as mentioned in my email sent on Monday, the DNS working group has come up with a response to the US NTIA's Notice of Inquiry (NoI) regarding the introduction of DNSSEC for the DNS root zone (for details see <http://www.ntia.doc.gov/DNS/DNSSEC.html>).
The text below reflects the consensus of the DNS working group.
As a follow up to our earlier efforts (see below), the DNS WG suggests that the response to the NTIA come from the broader RIPE community. So, this is the DNS WG's request for your support and endorsement of the proposal.
Please read the text and voice your support or opposition. As mentioned earlier, we will have to meet an external deadline. Therefore, we are not looking for editorial suggestions. Regrettably, it is impractical to further refine or reword the text, since that would require more editing cycles and new consensus calls, which time won't permit. The WG chairs' collective and the RIPE Chair have agreed that it needs a binary decision on the proposal as presented here.
It is possible that the text doesn't represent the optimum for everyone. Still, please consider whether you can support it as a community statement. In any case, the NoI is open for anybody, so you might want to send your individual response and/or contribute to other group efforts, as well.
Clarifying questions are welcome, probably best asked on the DNS WG mailing list or to the DNS WG co-chairs <http://www.ripe.net/ripe/wg/dns/index.html
.
Given the 24 Nov deadline and to allow some time for the evalutaion of the list traffic, you are kindly asked to send your explicit statements to this list no later than
Friday, 21 Nov 2008 12:00 UTC.
Thanks in advance for your consideration!
-Peter Koch [DNS WG co-chair]
-----------------------------------------------------------------------------
# # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $ #
The RIPE community thanks the NTIA for its consultation on proposals to sign the root and is pleased to offer the following response to that consultation. We urge the adoption of a solution that leads to the prompt introduction of a signed root zone. Our community considers the introduction of a signed root zone to be an essential enabling step towards widespread deployment of Secure DNS, DNSSEC. This view is supported by the letter from the RIPE community to ICANN as an outcome of discussions at the May 2007 RIPE meeting in Tallinn: http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf.
It is to be expected that a community as diverse as RIPE cannot have a unified set of detailed answers to the NTIA questionnaire. However several members of the RIPE community will be individually responding to that questionnaire. We present the following statement as the consensus view of our community about the principles that should form the basis of the introduction of a signed DNS root.
1. Secure DNS, DNSSEC, is about data authenticity and integrity and not about control.
2. The introduction of DNSSEC to the root zone must be made in such a way that it is accepted as a global initiative.
3. Addition of DNSSEC to the root zone must be done in a way that does not compromise the security and stability of the Domain Name System.
4. When balancing the various concerns about signing the root zone, the approach must provide an appropriate level of trust and confidence by offering an optimally secure solution.
5. Deployment of a signed root should be done in a timely but not hasty manner.
6. Updates from TLD operators relating to DNSSEC should be aligned with the operational mechanisms for co-ordinating changes to the root zone.
7. If any procedural changes are introduced by the deployment of DNSSEC they should provide sufficient flexibility to allow for the roles and processes as well as the entities holding those roles to be changed after suitable consultations have taken place.
8. Policies and processes for signing the root zone must be transparent and trustworthy, making it straightforward for TLDs to supply keys and credentials so the delegations for those TLDs can benefit from a common DNSSEC trust anchor, the signed root.
9. There is no technical justification to create a new organisation to oversee the process of signing of the root.
10. No data should be moved between organisations without appropriate authenticity and integrity checking, particularly the flow of keying material between a TLD operator and the entity that signs the root.
11. The public part of the key signing key must be distributed as widely as possible.
12. The organisation that generates the root zone file must sign the file and therefore hold the private part of the zone signing key.
13. Changes to the entities and roles in the signing process must not necessarily require a change of keys.
-----------------------------------------------------------------------------
Dear Peter,
# $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $
Thank you and the other people who have put a great effort in producing a text that finally got the DNS-WG consensus. I think v 1.9 is a very good response to US NTIA's NoI. I fully support it. Best regards, Janos Zsako
Dear Peter, Thanks for the good work. I hereby support the proposal. Regards, Brieuc-Yves Cadat 2008/11/14 Peter Koch <pk@denic.de>
Dear RIPE Community,
as mentioned in my email sent on Monday, the DNS working group has come up with a response to the US NTIA's Notice of Inquiry (NoI) regarding the introduction of DNSSEC for the DNS root zone (for details see <http://www.ntia.doc.gov/DNS/DNSSEC.html>).
The text below reflects the consensus of the DNS working group.
As a follow up to our earlier efforts (see below), the DNS WG suggests that the response to the NTIA come from the broader RIPE community. So, this is the DNS WG's request for your support and endorsement of the proposal.
Please read the text and voice your support or opposition. As mentioned earlier, we will have to meet an external deadline. Therefore, we are not looking for editorial suggestions. Regrettably, it is impractical to further refine or reword the text, since that would require more editing cycles and new consensus calls, which time won't permit. The WG chairs' collective and the RIPE Chair have agreed that it needs a binary decision on the proposal as presented here.
It is possible that the text doesn't represent the optimum for everyone. Still, please consider whether you can support it as a community statement. In any case, the NoI is open for anybody, so you might want to send your individual response and/or contribute to other group efforts, as well.
Clarifying questions are welcome, probably best asked on the DNS WG mailing list or to the DNS WG co-chairs < http://www.ripe.net/ripe/wg/dns/index.html>.
Given the 24 Nov deadline and to allow some time for the evalutaion of the list traffic, you are kindly asked to send your explicit statements to this list no later than
Friday, 21 Nov 2008 12:00 UTC.
Thanks in advance for your consideration!
-Peter Koch [DNS WG co-chair]
-----------------------------------------------------------------------------
# # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $ #
The RIPE community thanks the NTIA for its consultation on proposals to sign the root and is pleased to offer the following response to that consultation. We urge the adoption of a solution that leads to the prompt introduction of a signed root zone. Our community considers the introduction of a signed root zone to be an essential enabling step towards widespread deployment of Secure DNS, DNSSEC. This view is supported by the letter from the RIPE community to ICANN as an outcome of discussions at the May 2007 RIPE meeting in Tallinn: http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf.
It is to be expected that a community as diverse as RIPE cannot have a unified set of detailed answers to the NTIA questionnaire. However several members of the RIPE community will be individually responding to that questionnaire. We present the following statement as the consensus view of our community about the principles that should form the basis of the introduction of a signed DNS root.
1. Secure DNS, DNSSEC, is about data authenticity and integrity and not about control.
2. The introduction of DNSSEC to the root zone must be made in such a way that it is accepted as a global initiative.
3. Addition of DNSSEC to the root zone must be done in a way that does not compromise the security and stability of the Domain Name System.
4. When balancing the various concerns about signing the root zone, the approach must provide an appropriate level of trust and confidence by offering an optimally secure solution.
5. Deployment of a signed root should be done in a timely but not hasty manner.
6. Updates from TLD operators relating to DNSSEC should be aligned with the operational mechanisms for co-ordinating changes to the root zone.
7. If any procedural changes are introduced by the deployment of DNSSEC they should provide sufficient flexibility to allow for the roles and processes as well as the entities holding those roles to be changed after suitable consultations have taken place.
8. Policies and processes for signing the root zone must be transparent and trustworthy, making it straightforward for TLDs to supply keys and credentials so the delegations for those TLDs can benefit from a common DNSSEC trust anchor, the signed root.
9. There is no technical justification to create a new organisation to oversee the process of signing of the root.
10. No data should be moved between organisations without appropriate authenticity and integrity checking, particularly the flow of keying material between a TLD operator and the entity that signs the root.
11. The public part of the key signing key must be distributed as widely as possible.
12. The organisation that generates the root zone file must sign the file and therefore hold the private part of the zone signing key.
13. Changes to the entities and roles in the signing process must not necessarily require a change of keys.
-----------------------------------------------------------------------------
Dear Peter, Thanks for the good work. I hereby support this proposal. Regards, Brieuc-Yves 2008/11/14 Peter Koch <pk@denic.de>
Dear RIPE Community,
as mentioned in my email sent on Monday, the DNS working group has come up with a response to the US NTIA's Notice of Inquiry (NoI) regarding the introduction of DNSSEC for the DNS root zone (for details see <http://www.ntia.doc.gov/DNS/DNSSEC.html>).
The text below reflects the consensus of the DNS working group.
As a follow up to our earlier efforts (see below), the DNS WG suggests that the response to the NTIA come from the broader RIPE community. So, this is the DNS WG's request for your support and endorsement of the proposal.
Please read the text and voice your support or opposition. As mentioned earlier, we will have to meet an external deadline. Therefore, we are not looking for editorial suggestions. Regrettably, it is impractical to further refine or reword the text, since that would require more editing cycles and new consensus calls, which time won't permit. The WG chairs' collective and the RIPE Chair have agreed that it needs a binary decision on the proposal as presented here.
It is possible that the text doesn't represent the optimum for everyone. Still, please consider whether you can support it as a community statement. In any case, the NoI is open for anybody, so you might want to send your individual response and/or contribute to other group efforts, as well.
Clarifying questions are welcome, probably best asked on the DNS WG mailing list or to the DNS WG co-chairs < http://www.ripe.net/ripe/wg/dns/index.html>.
Given the 24 Nov deadline and to allow some time for the evalutaion of the list traffic, you are kindly asked to send your explicit statements to this list no later than
Friday, 21 Nov 2008 12:00 UTC.
Thanks in advance for your consideration!
-Peter Koch [DNS WG co-chair]
-----------------------------------------------------------------------------
# # $Id: ntia-draft,v 1.9 2008/11/13 20:20:41 jim Exp $ #
The RIPE community thanks the NTIA for its consultation on proposals to sign the root and is pleased to offer the following response to that consultation. We urge the adoption of a solution that leads to the prompt introduction of a signed root zone. Our community considers the introduction of a signed root zone to be an essential enabling step towards widespread deployment of Secure DNS, DNSSEC. This view is supported by the letter from the RIPE community to ICANN as an outcome of discussions at the May 2007 RIPE meeting in Tallinn: http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf.
It is to be expected that a community as diverse as RIPE cannot have a unified set of detailed answers to the NTIA questionnaire. However several members of the RIPE community will be individually responding to that questionnaire. We present the following statement as the consensus view of our community about the principles that should form the basis of the introduction of a signed DNS root.
1. Secure DNS, DNSSEC, is about data authenticity and integrity and not about control.
2. The introduction of DNSSEC to the root zone must be made in such a way that it is accepted as a global initiative.
3. Addition of DNSSEC to the root zone must be done in a way that does not compromise the security and stability of the Domain Name System.
4. When balancing the various concerns about signing the root zone, the approach must provide an appropriate level of trust and confidence by offering an optimally secure solution.
5. Deployment of a signed root should be done in a timely but not hasty manner.
6. Updates from TLD operators relating to DNSSEC should be aligned with the operational mechanisms for co-ordinating changes to the root zone.
7. If any procedural changes are introduced by the deployment of DNSSEC they should provide sufficient flexibility to allow for the roles and processes as well as the entities holding those roles to be changed after suitable consultations have taken place.
8. Policies and processes for signing the root zone must be transparent and trustworthy, making it straightforward for TLDs to supply keys and credentials so the delegations for those TLDs can benefit from a common DNSSEC trust anchor, the signed root.
9. There is no technical justification to create a new organisation to oversee the process of signing of the root.
10. No data should be moved between organisations without appropriate authenticity and integrity checking, particularly the flow of keying material between a TLD operator and the entity that signs the root.
11. The public part of the key signing key must be distributed as widely as possible.
12. The organisation that generates the root zone file must sign the file and therefore hold the private part of the zone signing key.
13. Changes to the entities and roles in the signing process must not necessarily require a change of keys.
-----------------------------------------------------------------------------
participants (22)
-
Antoin Verschuren -
Brieuc-Yves Cadat -
Brieuc-Yves Cadat -
Cara Mascini -
David Kessens -
Dennis Lundström -
Dmitry Burkov -
Fearghas McKay -
Fergal Suipeil -
Gilles Massen -
Janos Zsako -
Joao Damas -
Lars-Johan Liman -
Mike Hughes -
Niall O'Reilly -
Nigel Titley -
Patrik Fältström -
Peter Koch -
Rob Blokzijl -
Robert Martin-Legène -
Ruslan Salikhov -
Sander Steffann