<div dir="ltr"><div class="gmail_default" style="font-size:small">I think it is a very worthwhile and necessary effort. But the security considerations are woefully insufficient.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">What has never been fully appreciate is that while the root zone is the apex of the naming hierarchy. The .arpa zone is potentially the apex of the trust hierarchy.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Separating the two concerns is a very useful and worthwhile 'separation of duties' control. Besides the security benefits, a system in which there are two roots makes for much more convincing answers to questions of root rollover.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">We should do it right because the .ARPA zone is evolving into the trust root of the legacy telephone system. It is also likely to be the delegation point for any new naming system. </div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">The concentration of risk in the root '.' has always been a weakness in the DNS design. This change provides an opportunity to address some of that. While the Internet is robust against information attacks, almost none of the facilities are designed to withstand physical attacks. the best defense is to make a physical attack pointless.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">What this means in practice is that as with the DNS apex root servers, the .ARPA root servers need to have stable, static IP addresses that change infrequently with long notice times. The zones should be signed using appropriate ceremonies.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I am of course aware of the cost of PKI ceremonies. I taught the VeriSign ceremony course. I am thinking of separating the ceremonies as a longer term goal and there is technology developed since we wrote the VeriSign ceremonies that allows the cost to be greatly reduced. </div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">One way sequence technology and threshold signatures mean that it is no longer necessary for key ceremony key holders to meet in the same physical location. Nobody is going to let us try out new technology on the root zone. But we can probably get away with that for .arpa and then transition the dot to that approach.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">So what I would suggest is:</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">1) Separate the hosts for .ARPA from the root zone hosts.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">2) Create a separate set of HSMs for .ARPA but administer them within the ICANN root ceremony</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">3) Transition ARPA to next generation technology which avoids the need to meet to perform ceremonies in person.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 7, 2020 at 12:49 PM Kim Davies <<a href="mailto:kim.davies@iana.org">kim.davies@iana.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_-8277379562340208690WordSection1">
<p class="MsoNormal"><span style="font-family:"Helvetica Neue",serif">Folks,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue",serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue",serif">I wanted to draw attention to an Internet-Draft under development that seeks to remove the unique interdependency that the .arpa zone has with the root zone, by virtue of the zone being served
by the root servers:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue",serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue",serif">
</span><a href="https://www.ietf.org/id/draft-iana-arpa-authoritative-servers-01.txt" target="_blank">https://www.ietf.org/id/draft-iana-arpa-authoritative-servers-01.txt</a><u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue",serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue",serif">We are looking for additional review of the proposed changes before taking further steps.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue",serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue",serif">kim<u></u><u></u></span></p>
</div>
</div>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div>