Internet Performance Delivered right to your inbox

IANA ITAR is Live and Why You Should Care

This week, IANA launched it’s Interim Trust Anchor Repository. As described:

IANA provides an Interim Trust Anchor Repository to share the key material required to perform DNSSEC verification of signed top-level domains, in lieu of a signed DNS root zone. This is a temporary service until the DNS root zone is signed, at which time the keying material will be placed in the root zone itself, and this service will be discontinued.

Part of the trouble with DNSSEC is the constant worry for recursive DNS operators (ISPs or network operators) to keep their DS keys up to date. Anytime a new TLD signs their zone or a rollover takes place (either planned or unplanned), someone has to pay attention to ensure that the downstream RDNS users can continue to validate responses. The root is not signed yet (which would eliminate the need for something like this) and making every RDNS operator do this becomes laborious. Enter ITAR.

I already trust the root management of IANA when they process incoming delegation updates for gTLDs and ccTLDs. If the root operator of .cx wants to update the nameservers for that ccTLD because they renumber a nameserver or change their nameservers, I don’t have to manually vet it. IANA has both the savviness and operational experience to vet those requests. This process has successfully lived within IANA for years. Since they do a good job of it, I don’t have to.

ITAR is a mechanism that I, as an RDNS operator, can use to ensure that I have a local copy of what TLDs I can trust. This is just like keeping my root hints file up to date (which everyone does, right?). While there hasn’t been a lot of attention on the RDNS side for DNSSEC, this is a major step in providing infrastructure to make the other side of DNSSEC a reality.

Share Now

Whois: Tom Daly

Tom Daly is a co-founder of Dyn, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.

To current Dyn Customers and visitors considering our Dynamic DNS product: Oracle acquired Dyn and its subsidiaries in November 2016. After June 29th, 2020, visitors to will be redirected here where you can still access your current Dyn service and purchase or start a trial of Dynamic DNS. Support for your service will continue to be available at its current site here. Sincerely, Oracle Dyn