This week, IANA launched it’s Interim Trust Anchor Repository. As described:
IANA provides an Interim Trust Anchor Repository to share the key material required to perform DNSSEC verification of signed top-level domains, in lieu of a signed DNS root zone. This is a temporary service until the DNS root zone is signed, at which time the keying material will be placed in the root zone itself, and this service will be discontinued.
Part of the trouble with DNSSEC is the constant worry for recursive DNS operators (ISPs or network operators) to keep their DS keys up to date. Anytime a new TLD signs their zone or a rollover takes place (either planned or unplanned), someone has to pay attention to ensure that the downstream RDNS users can continue to validate responses. The root is not signed yet (which would eliminate the need for something like this) and making every RDNS operator do this becomes laborious. Enter ITAR.
I already trust the root management of IANA when they process incoming delegation updates for gTLDs and ccTLDs. If the root operator of .cx wants to update the nameservers for that ccTLD because they renumber a nameserver or change their nameservers, I don’t have to manually vet it. IANA has both the savviness and operational experience to vet those requests. This process has successfully lived within IANA for years. Since they do a good job of it, I don’t have to.
ITAR is a mechanism that I, as an RDNS operator, can use to ensure that I have a local copy of what TLDs I can trust. This is just like keeping my root hints file up to date (which everyone does, right?). While there hasn’t been a lot of attention on the RDNS side for DNSSEC, this is a major step in providing infrastructure to make the other side of DNSSEC a reality.