[dns-operations] DNSSEC threshold signatures idea

[Mukund Sivaraman]

During a coversation about the Yeti project, Davey Song brought up an
idea about using threshold signatures within DNSSEC. While he talked
about it primarily for the root zone within the context of having
multiple signers for it, I'm curious to know what operators think about
the concept for other zones, and if there's any interest in having a
working implementation.

DNSKEY RRs contain public keys. Corresponding secret keys are managed by
signing entities in various ways:

* It may be for a low-risk zone and a human may leave the key on the
  nameserver itself

* The key may be held by some number of trustworthy staff offline and
  when signing is required, one of them signs the zone and returns the
  signed zone

* It may be managed by an automated system under the control of one or
  more people

* It may be held in a locked computer system which may be accessed when
  multiple trustworthy "keepers" are present

* There may be schemes like this:
  https://www.icann.org/news/blog/the-problem-with-the-seven-keys

In many of these cases, it may be possible for one rogue person to sign
records against the wish of the rest of the trustworthy group appointed
by a zone owner. Even though it's unlikely, it's possible to do so
because the control over secret key material may be available to one
person, even if it is wrapped in multiple layers.

The concept of threshold crypto is that there is a public DNSKEY, for
which the secret key is not available in a single form where it can be
reconstructed. Instead, N members of a group have some key material each
respectively, and any M (< N) members of the group may work together to
prepare RRSIGs by using their respective key materials individually, and
collaborating to generate the signatures.

It may be possible for such a scheme to be compatible with existing
DNSSEC algorithms. Is there any operator interest in this?

		Mukund