Internet Architecture Board

RFC2850

Correspondence from the RIPE NCC regarding deployment of DNSSEC in the E164.ARPA zone, 5 July 2007

Home»Documents»IAB Correspondence, Reports, and Selected Documents»2007»Correspondence from the RIPE NCC regarding deployment of DNSSEC in the E164.ARPA zone, 5 July 2007
From: Andrei Robachevsky <andrei@ripe.net>
Date: Thu, 05 Jul 2007 09:03:56 +0200 To: iab@iab.org Cc: Axel Pawlik <axel.pawlik@ripe.net>
Subject: Deployment of DNSSEC in the e164.arpa zone

Dear IAB members,

Since 2002 the RIPE NCC has provided technical administration of the e164.arpa DNS zone, in line with the instructions provided by the IAB:

http://www.ripe.net/enum/instructions.html

Over the past five years, we have steadily improved both the technical infrastructure and operational procedures involved in providing DNS operations for the e164.arpa, the k.root-servers.net root server and reverse DNS. These improvements ensure the high technical quality of the DNS delegations and provide features necessary for the operators of the delegated zone, such as support for DNS glue records.

The RIPE NCC has also been actively involved in the development and deployment of DNSSEC, which has included the deployment of DNSSEC in the reverse DNS tree that the RIPE NCC supports. Deployment of DNSSEC, which happened at the end of 2005, was implemented with a thorough redesign of the supporting infrastructure and review of our operational procedures.

We can say with complete confidence that our supporting systems and operational procedures are mature enough to deploy DNSSEC in the e164.arpa tree, as demonstrated by the stable operation of our current DNSSEC services. It should also be noted that the infrastructure and operational procedures for the e164.arpa are ready to support DNSSEC. Please refer to the “DNSSEC Operations and security practice statement” https://www.ripe.net/projects/disi//Notes/dnssec-practice-statement.html for a more detailed description of these procedures. This practice is subject to periodic review to meet increasing security requirements as DNSSEC and ENUM deployment expands.

One of the known issues for early deployment of DNSSEC, until the “root” is signed, is the existence of multiple “trust-anchors” for every DNS tree which has DNSSEC deployed. This situation also applies to the e164.arpa tree. We propose to use the same key maintenance procedures that are currently used for the reverse DNS. For the full description of these procedures please refer to the “ENUM DNSSEC Key Maintenance Procedure” http://www.ripe.net/rs/enum/key-maint.html

The RIPE NCC currently operates the e164.arpa at a level equivalent with root server operational requirements. These requirements (RFC2870 section 3.3.1) and ENUM standards (RFC3761 section 6.1) require DNSSEC. Given this, and based on the information presented above, the RIPE NCC is pleased to inform you that we are ready to implement the DNSSEC requirement for the e164.arpa tree by signing the zone and providing support for secure delegations.

The RIPE NCC intends to publicly announce that it will start signing the e164.arpa. The RIPE NCC will start placing signatures in the zone 2 months after that announcement and provide secure delegations 6 months after that announcement.

In the event that it becomes necessary to pass operational control to a successor operator, the RIPE NCC will facilitate a smooth transition, including an orderly transition of the “trust-anchor”.

I hope I informed you sufficiently. Should you see any issues with the RIPE NCC proceeding with this plan, please let us know.

Best Regards

Andrei Robachevsky
CTO, RIPE NCC