IGP Blog :: DHS publicly acknowledges DNSSEC root signing spec

Main Page

Previous:	Securing the Root: What is DNSSEC, what's the controversy?
Next:	Securing the Root: The root of the problem, creating a trust anchor(s)

DHS publicly acknowledges DNSSEC root signing spec

by Brenden Kuerbis on Sun 15 Apr 2007 10:44 AM EDT | Permanent Link | Cosmos

Nearly five months after the fact, DHS acknowledged widely last week the release of a draft technical specification for signing and securing the DNS Root Zone. Signing the root is considered a critical step toward the widespread deployment of DNSSEC across the Internet.

The document, prepared for DHS by the DoC's NIST and two defense contractors, was reviewed initially by other USG agencies and then distributed for comment in November 2006 to a group of 30 technical experts in government, academia, and key Internet governance and infrastructure organizations from the US, Sweden, UK, Germany, Netherlands, Japan, Brazil, and Australia. Surprisingly, the document was marked "not for further distribution" yet posted to a publicly available listserv for individuals working on DNSSEC deployment. An unknown number of comments on the specification were received, and have not been made available to the public.

The draft outlines various scenarios for signing the root and for who could be the root key holder, focusing mainly on a single "Root Key Operator," and suggesting either a governmental agency or a contractor. However, it importantly offers alternatives for having multiple, but a limited number of, Root Key Operators who would each sign the contents of the root zone with their own key. It also mentions, but discounts, a single split key management approach which is required by NIST FIPs 140-2 standards for high security systems. DHS intends to release a second version of the document for public comment later this year. In light of the highly politicized nature of root zone oversight currently exerted by the DoC, and widespread desire to make the Internet more secure, alternatives which distribute root signing authority seem to offer more promise.

Keywords: DHS, USG, root, DNSSEC, DNS

Technorati Tags: DHS, USG, root, DNSSEC, DNS

Posted to:

Main Page

Comments

Post a comment

Re: DHS publicly acknowledges DNSSEC root signing spec

by Drew Bennett on Tue 17 Apr 2007 02:33 AM EDT | Permanent Link

Enjoying the series, thanks. Now for something only slightly off-topic:
I'm writing a policy memo on Net Neutrality and am hoping the IGP blog can help: The success of Net Neutrality regulations in Japan, Korea, and France is often sited for its achievements in stimulating broadband investment and lower consumer prices - can you direct me to some scholarly research, case studies or other direct evidence of the regulations in these countries? Would greatly appreciate it - feel free to email.

Re: Re: DHS publicly acknowledges DNSSEC root signing spec

by Milton Mueller on Wed 02 May 2007 06:31 PM EDT | Profile | Permanent Link

Sorry to respond so slowly, just noticed this. What you have in Japan, Korea and France is not "net neutrality" regulation as that term has acquired meaning (and a rather confused one) in the USA. Probably you are talking about unbundling of the broadband access line. This allows competing ISPs to lease the physical facilities of the telephone companies in order to provide an internet service that competes with the incumbents'. Go to the OECD department of Communication Infrastructure and Services Provision (?) CISP and see the reports there for a comprehensive treatment of this issue

Trackbacks

TrackBack URL:
http://blog.internetgovernance.org/blog/_trackback/2881860

No trackbacks found.