Dear colleagues,In this message we would like to raise a number of issues we have identified with the proposal to establish a " DNSSEC Lookaside Validation (DLV) IANA Registry" (draft-weiler-dnssec-dlv-iana-00).
* Domains under .arpaThe document requests the establishment of a sub-domain of .arpa that is to be used as the "anchor" for the domain-name-tree that can be used with the DLV algorithm described in draft-weiler-dnssec-dlv-03. The IAB has specific responsibilities with respect to the establishment of domains under the .arpa domain [RFC3172]. It is based on that responsibility that we write this last-call comment.
RFC3172 specifically calls for a description of the delegation, and the hierarchical name structure in an IETF standards track document. We observe this document does not give the crisp and clear instructions that are needed to maintain the zone. IANA would need very precise instructions on how and when it needs to add data to the DLV infrastructure. That the document requests a dnssec.arpa domain is a detail that should not be overlooked.
In addition, we believe that the reason that RFC3172 requires a standards track document is that a domain under .arpa is only to be delegated if there is a use for long term infrastructure needs. Arguably DLV is a transition mechanism.
* Service costs and competition.This document is requesting IANA to establish a service that could be costly to implement. It can be argued that the operational costs involved with the maintenance and publication of this registry are significantly higher than for other registries that IANA maintains for the IETF.
Even though IANA is currently providing their services with respect to registration of technical parameters for free we should work from the assumption that at one time we, the IETF/IAOC, might have to pay for the maintenance of the technical parameter registries.
Although IANA is in a unique position that it has an established relation with the TLD operators and the number registries for the domains under in-addr.arpa, it is not the only party that could offer this service. The DLV protocol allows multiple parties to start a DLV registry at arbitrary locations in the namespace. In fact, one might expect a competitive market of DLV registries. Given that we think that there are no strong technical arguments for a unique domain under the .arpa domain, we observe that the establishment of a dlv domain under .arpa needs further thought with respect to how the IAB/ IETF would influence the above mentioned market.
* Relation IANA and IETF.The relation between IANA and the IETF are covered through an MOU [RFC2860]. The guiding document for the establishment of .arpa [RFC3172] specifically mentions the delegation of new domains under .arpa being done as part of that MOU.
Section 4.3 is relevant to the issue we want to raise here
4.3. Two particular assigned spaces present policy issues in additionto the technical considerations specified by the IETF: the assignmentof domain names, and the assignment of IP address blocks. These policy issues are outside the scope of this MOU.
The establishment of the DLV registry bootstraps on relations that IANA maintains with the TLDs on the basis of the maintenance of a space that is specifically outside the scope of the MOU between the IETF and IANA. We feel that by stepping over this boundary we would also get involved in some of the policy issues regarding the "forward" name space. That there are policy issues with getting the root signed is duly known. So if the IETF were to establish this DLV registry in .arpa, than that might be seen as an attempt to outrun the policy making process. We therefore feel that the IETF should be extremely careful in making a request of this sort.
* ConclusionThe IAB, obviously, favors expedient deployment of DNSSEC in the DNS root.
In absence of such we understand that mechanisms such as DLV or the publication of lists with TLD trust anchors could aid deployment. However, the IAB does not support the establishment of a domain under .arpa combined with a request from the IETF to IANA to establish such a service as that would implicitly be based on the MOU between RFC3172. However, - if there is IETF wide consensus on a proposal to establish a .arpa zone; - if such proposal would deal with the 'competition' issues mentioned above; - if such proposal should contain much more detail on how to establish and maintain authentic DLV entries; - and if said proposal describes the other requirements for such registry such as key management; then given such IETF consensus the IAB will explore how such registry can be established without violating the MOU.
On behalf of the IAB, --Olaf Kolkman
Attachment:
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf