ICANNWatch
 
  Inside ICANNWatch  
Submit Story
Home
Lost Password
Preferences
Site Messages
Top 10 Lists
Latest Comments
Search by topic

Our Mission
ICANN for Beginners
About Us
How To Use This Site
ICANNWatch FAQ
Slash Tech Info
Link to Us
Write to Us

  Useful ICANN sites  
  • ICANN itself
  • Bret Fausett's ICANN Blog
  • Internet Governance Project
  • UN Working Group on Internet Governance
  • Karl Auerbach web site
  • Müller-Maguhn home
  • UDRPinfo.com;
  • UDRPlaw.net;
  • CircleID;
  • LatinoamerICANN Project
  • ICB Tollfree News

  •   At Large Membership and Civil Society Participation in ICANN  
  • icannatlarge.com;
  • Noncommercial Users Constituency of ICANN
  • NAIS Project
  • ICANN At Large Study Committee Final Report
  • ICANN (non)Members page
  • ICANN Membership Election site

  • ICANN-Related Reading
    Browse ICANNWatch by Subject

    Ted Byfied
    - ICANN: Defending Our Precious Bodily Fluids
    - Ushering in Banality
    - ICANN! No U CANN't!
    - roving_reporter
    - DNS: A Short History and a Short Future

    David Farber
    - Overcoming ICANN (PFIR statement)

    A. Michael Froomkin
    - When We Say US™, We Mean It!
    - ICANN 2.0: Meet The New Boss
    - Habermas@ discourse.net: Toward a Critical Theory of Cyberspace
    - ICANN and Anti-Trust (with Mark Lemley)
    - Wrong Turn in Cyberspace: Using ICANN to Route Around the APA & the Constitution (html)
    - Form and Substance in Cyberspace
    - ICANN's "Uniform Dispute Resolution Policy"-- Causes and (Partial) Cures

    Milton Mueller
    - Ruling the Root
    - Success by Default: A New Profile of Domain Name Trademark Disputes under ICANN's UDRP
    - Dancing the Quango: ICANN as International Regulatory Regime
    - Goverments and Country Names: ICANN's Transformation into an Intergovernmental Regime
    - Competing DNS Roots: Creative Destruction or Just Plain Destruction?
    - Rough Justice: A Statistical Assessment of the UDRP
    - ICANN and Internet Governance

    David Post
    - Governing Cyberspace, or Where is James Madison When We Need Him?
    - The 'Unsettled Paradox': The Internet, the State, and the Consent of the Governed

    Jonathan Weinberg
    - Sitefinder and Internet Governance
    - ICANN, Internet Stability, and New Top Level Domains
    - Geeks and Greeks
    - ICANN and the Problem of Legitimacy

    Highlights of the ICANNWatch Archive
    (June 1999 - March 2001)


     
    Security IANA
    Signing the Root -- A Turning Point in Internet History?
    posted by michael on Thursday July 26 2007, @05:26AM

    The IGP Blog has a post about an important subject that is flying under too many radars, IANA's DNSSEC testbed signs root zone. I'll quote some key paragraphs, but it is worth reading the whole thing:

    IANA is generating new zone signing keys (ZSK) monthly, using a script based upon Public-Key Cryptography Standards #11 as published by RSA. IANA maintains it is committed to make the sources of the system public. IANA's approach is to generate 3 overlapping ZSKs, one of which is "active" at any point and used to sign the root zone. The ZSKs are signed using one of 2 overlapping key signing keys (KSK), both of which sign the bundle of 3 ZSKs. In the event of emergency rollover, IANA relies upon a scripted procedure that migrates from the compromised key to the new, already "socialized" key. A status page for the testbed is available.

    Based on this scant information, it does appear IANA is trying to move the ball forward on signing the root. However, the critical DNSSEC policy issue of who controls the root keys is still unresolved. It appears that control of both ZSKs and the KSKs (aka the "keys to the Internet kingdom") will reside with a USG contractor, just as suggested in the DHS sponsored root signing technical specification. This is sure to raise an eyebrow of some ccTLD and root operators and others who see DNSSEC as just one more way of solidifying the dominance of the ICANN/IANA root, and with it USG political oversight.

    The above approach also goes against a basic tenant of Internet architecture of diversifying critical infrastructure in order to improve security and reliability (e.g., similar to how anycast technology diversifies some of the Internet's root servers). Maintaining all root zone signing activity with one root key operator (RKO) (as opposed to the IGP proposal of spreading it across a few non-governmental RKOs) seemingly violates this tenant, and certainly increases the probability that ICANN/IANA would be liable should it falter in performing it's DNSSEC related duties. Of course, this assumes that ICANN/IANA is willing to offer some level of reliability for signed DNS responses it provides. And if they're not, it's unclear why any other organization would be willing to stick it's neck out to provide DNSSEC based services dependent on the ICANN/IANA trust anchor.

    Why is ICANN supporting the centralized solution? Because it expects to hold the keys.

    One more reason why IANA should be spun off from ICANN!




     
      ICANNWatch Login  
    Nickname:

    Password:

    [ Don't have an account yet? Please create one. It's not required, but as a registered user you can customize the site, post comments with your name, and accumulate reputation points ("karma") that will make your comments more visible. ]

     
      Related Links  
    · IANA
    · ICANN
    · IANA's DNSSEC testbed signs root zone
    · Public-Key Cryptography Standards #11
    · available
    · keys to the Internet kingdom
    · contractor
    · root signing technical specification
    · IGP proposal
    · More Security stories
    · Also by michael
     
    This discussion has been archived. No new comments can be posted.
    Signing the Root -- A Turning Point in Internet History? | Log in/Create an Account | Top | Search Discussion
    Click this button to post a comment to this story
    The options below will change how the comments display
    Threshold:
    Check box to change your default comment view
    The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.


    Search ICANNWatch.org:


    Privacy Policy: We will not knowingly give out your personal data -- other than identifying your postings in the way you direct by setting your configuration options -- without a court order. All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by ICANNWatch.Org. This web site was made with Slashcode, a web portal system written in perl. Slashcode is Free Software released under the GNU/GPL license.
    You can syndicate our headlines in .rdf, .rss, or .xml. Domain registration services donated by DomainRegistry.com