DNSSEC – So what do we think about RSTEP’s findings?

Some of you may have just learned about the release of the RSTEP recommendations . To give you some background, on April 21, 2008, we engaged the RSTEP process to evaluate our request to officially move forward on our plans to investigate and implement DNSSEC. The RSTEP process has recommended to the ICANN Board of Directors that our request be granted. This is a positive step for longer term improvement to the internet infrastructure. I am pleased with the report and the recommendation to move forward with the process; and I thank the members of the RSTEP committee for their diligent efforts and recommendations.

DNS is a critical layer because all other layers depend on it working dependably and securely. If we want a secure Internet, then we ought to think about securing the foundational layers first. As a registry we run the DNS, so we are in the best position to do so. And as a gTLD we are in a unique position as a pioneer to make a contribution. Understand that pioneers are often the first to take slings and arrows of criticism and skepticism, however they are also the first to help prove models previously thoughts untenable or impossible.

BTW, we are not alone in advocating DNSSEC. Many other ccTLDs such as NIC SE and Nominet have done significant work already and ought to be applauded for their contribution. Furthermore there are lots of other stakeholders who are investing in developing software (eg. Nameserver) and technologies to make DNSSEC work. It is important to also note that we have not described this as a product or commercial launch and as such have not specified a (potentially premature) launch date. Our view is that this project requires collaboration across the industry, sharing the lessons learned and refinement of our approach

The report was posted on June 5th, so a thoughtful response worthy of the 38 pages will take a thorough review and hence some time. In the meantime, we do have some initial feedback/impressions:

• We appreciate the suggestions the RSTEP team has provided. They have actually identified some additional areas for us to address, which we are incorporating into our plans. We are also in the process of gathering inputs from other stakeholders in the industry.

• We believe we have made responsible choices in the current environment where the root is not signed. We realize that there is a risk in the deployment of DNSSEC. That is why we have taken over a year and a half in developing our policies and procedures, vetting our technology choices, and receiving advice from those ccTLD registries that have already implemented DNSSEC prior to us. However, we plan to give full consideration to the report findings and make changes where appropriate.

Please watch this blog for more feedback and responses in the coming days and weeks.