From:	Thierry Moreau [thierry.moreau@connotech.com]
Sent:	Monday, June 21, 2010 5:22 PM
To:	DNSSEC
Subject:	Comment submitted, NOI on the Final Stage of DNSSEC Deployment at the 
Root

Dear Ms. Fiona Alexander,

The DNSSEC deployment project for the root zone appears to progress steadily 
towards completion, which I see will occur when NTIA will authorize production 
signature keys and signed DNS data in the official root zone file.

This will be a major and most welcome contribution to a more trustworthy 
public Internet.

As an IT security expert with a special interest in the management of 
cryptographic keys having global scope, I looked closely at the DNSSEC root 
signature key management procedures designed by ICANN and Verisign with the 
influence of NIST and NTIA. I was and remain critical of some elements of the 
overall solution. But the big picture is sound, and maybe even excellent, to 
the extent one accepts the US government guidance (mostly defined by NIST) as 
the state of the art. As a matter of empirical evidence, there is no mature 
alternative to the body of applied key management principles rooted in this 
NIST guidance. What is more relevant to the assessment of the DNSSEC 
deployment at the root is the observation that no stakeholder (individual or 
group) ever formulated a competing proposal for the official DNS root 
signatures (the bar having been set by the ICANN announcement of June 3, 2009, 
[1]). As a consequence, the Internet community appears well served by the 
DNSSEC root key management procedures being put in place.

Please forgive me to take the opportunity of this NOI for to record a further 
opinion about the significance of the DNSSEC deployment at the root. The 
DNSSEC signatures on the DNS root zone data are technical controls essentially 
devoid of policy implications. This is so even if the US government crypto 
culture tainted the detailed arrangements. 
Because the broader DNS root zone management is rather policy-intensive, it 
may be tempting to amalgamate the US government oversight of the DNSSEC 
technical controls with the US government historical role in the DNS root zone 
management. But to call into question the US government oversight solely on 
the ground of DNSSEC technical controls does not resist a serious security 
anaysis. Also, I contributed a comprehensive organizational and technical 
project blueprint ([2]) which should attract supporters if the DNSSEC 
technical controls were by themselves contentious at the Internet governance 
level. There is thus no excuse for the Internet community support of the 
official DNS root signature operations run by ICANN and Verisign with the 
authorization of NTIA.

It is thus a pleasure to state my gratitude towards those involved at NTIA and 
its partners ICANN, NIST, and Verisign.

Best Regards,

--
- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1

Tel. +1-514-385-5691

References

[1] ICANN announcement, "ICANN to Work with United States Government and 
VeriSign on Interim Solution to Core Internet Security Issue -- Immediate 
security concerns addressed by DNSSEC", 3 June 2009, 
http://www.icann.org/en/announcements/announcement-2-03jun09-en.htm

[2] Thierry Moreau, "Intaglio NIC, an Independent DNS Root Signature Project", 
February 3, 2010, http://www.intaglionic.org/doc_indep_root_sign_proj.html