If you build it, they will come.

Only two years after signing the DNS root zone, the strong temptation of a secure global infrastructure for the distribution of data begins, to reveal. It is illustrated clearly by two proposed technical standardization, who want to use secure DNS. These developments highlight the strength of the DNS institutions and how they might gaps elsewhere in Internet governance to a certain extent. But one on increasing confidence and concentration of power in the DNS correct makes always global governance also even more important.

First, better known is DANE desire the IETF. The DÄNE standard suggests the Protocol to improve transport level security (TLS), which used worldwide for secure communication between applications (such as a browser) and host computer (for example, a site server). DANE allows administrators of domain names specify TLS cryptographic key material into a resource record in a zone file stored. With DNSSEC, an application could be the resource record with the practical effect that the communication between an application and the host machine likely safer check - a good thing.

The most interesting aspect of DANE is perhaps that it placed TLS key distribution out of the hands of the browser/CAs and it with DNS operators. The browser/certificate authority regime has been shown to be vulnerable to attack, and lacking in clear lines of responsibility. In theory, if an administrator is signed key material in the DNA, an application can check administered by ICANN it from the single trust anchor. DANE depends how DNSSEC Registrar, registry, and Internet service provider, the administrators not tampered with the signed data. Pressure, data could manipulate from numerous sources, such as interests in the protection of intellectual property, advertising, monitoring, etc. come. At the end of the day, be the DNS-contractual regulation, which contributes the laws that govern the parties and the extent that these institutions are transnational interoperable, determined, global public policy objectives such as DANE at various such as freedom of expression and free movement in Internet information services. Expect that the differences between Governments and their response to domestic pressure to demand that interoperability.

The second, and in our opinion, more interesting development is the more recently proposed ROVER (route origin verification) effort aims, the problem of misconfigured routing announcements, whether accidental or intentional. Much like in DANE, published ROVER proposes , to improve the inter-domain routing create new resource records in the secure reverse DNS (i.e. the in-addr.arpa zone). Similar ideas proposed previouslybeen, but never took hold. The records could network operators to specify whether an IPv4 or IPv6 prefix should appear in the global routing tables and identify authorized origin autonomous system remaining for the prefix. These are the same data (i.e. source route advertisements) are in the public-key infrastructure (RPKI) resource is managed by displaying some RIRs. ROVER facilitates comparison of scanned records in the secure reverse DNS-against route announcements will be made over the Internet. Deviations can be marked and lead that further action by the operator.

The most interesting aspect is the interplay between technology and institutional makes. The technical community was discussed, has the advantages of secure DNS vs. RPKI. The debate occurs in the shade of the large, ongoing care for carriers of RPKI, i.e., how could it allow certification authorities (such as the RIRs) routing effects. This concern is further complicated with Border Gateway Protocol Security ((BGPSEC)), including cryptographic signing and validation of route advertisements directly in the BGP is proposing. As an alternative, ROVER hits uses the map data certified resource stored in the RPKI (or elsewhere) to create and validate route announcements in the secure reverse DNS. But it allows operators independently of each other, that data will be applied to routing decisions. If a certification authority a certificate would locked it no influence, forwarding, if the operator allows it. However, it is less appreciated, that ROVER potentially move announcement routes data, usually in the decentralized Internet routing registries (IRRS) now in the hierarchical secure DNS. Critical in the light of this, will the operation and management of a few zones, namely .arpa and in-addr.arpa. There are, currently, these zones managed by ICANN. Its use for routing purposes can trigger conflicts that too much power with this organization is centralized. In theory, ICANN operator contract could be as a manager of the in-addr zone, similar to how rules it does some TLD operators. This needs to be addressed further.

By Brenden pumpkin, postdoc at Syracuse University, school of information studies. Pumpkin is also a factor for the Internet governance project- blog.