[dns-operations] Separating .ARPA operations from the root zone

Phillip Hallam-Baker phill at hallambaker.com
Fri Aug 7 18:08:10 UTC 2020

I think it is a very worthwhile and necessary effort. But the security
considerations are woefully insufficient.

What has never been fully appreciate is that while the root zone is the
apex of the naming hierarchy. The .arpa zone is potentially the apex of the
trust hierarchy.

Separating the two concerns is a very useful and worthwhile 'separation of
duties' control. Besides the security benefits, a system in which there are
two roots makes for much more convincing answers to questions of root

We should do it right because the .ARPA zone is evolving into the trust
root of the legacy telephone system. It is also likely to be the delegation
point for any new naming system.

The concentration of risk in the root '.' has always been a weakness in the
DNS design. This change provides an opportunity to address some of that.
While the Internet is robust against information attacks, almost none of
the facilities are designed to withstand physical attacks. the best
defense is to make a physical attack pointless.

What this means in practice is that as with the DNS apex root servers, the
.ARPA root servers need to have stable, static IP addresses that change
infrequently with long notice times. The zones should be signed using
appropriate ceremonies.

I am of course aware of the cost of PKI ceremonies. I taught the VeriSign
ceremony course. I am thinking of separating the ceremonies as a longer
term goal and there is technology developed since we wrote the VeriSign
ceremonies that allows the cost to be greatly reduced.

One way sequence technology and threshold signatures mean that it is no
longer necessary for key ceremony key holders to meet in the same physical
location. Nobody is going to let us try out new technology on the root
zone. But we can probably get away with that for .arpa and then transition
the dot to that approach.

So what I would suggest is:

1) Separate the hosts for .ARPA from the root zone hosts.

2) Create a separate set of HSMs for .ARPA but administer them within the
ICANN root ceremony

3) Transition ARPA to next generation technology which avoids the need to
meet to perform ceremonies in person.

On Fri, Aug 7, 2020 at 12:49 PM Kim Davies <kim.davies at iana.org> wrote:

> Folks,
> I wanted to draw attention to an Internet-Draft under development that
> seeks to remove the unique interdependency that the .arpa zone has with the
> root zone, by virtue of the zone being served by the root servers:
> https://www.ietf.org/id/draft-iana-arpa-authoritative-servers-01.txt
> We are looking for additional review of the proposed changes before taking
> further steps.
> kim
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200807/1718e27a/attachment.html>

More information about the dns-operations mailing list