Instigating Idea for DNSSEC History Project

Steve Crocker shared (July 20, 2010):

“With the signing of the root we have reached a historic moment in time.  DNSSEC will tighten the security of DNS, and it also lays the foundation for building secure applications on top of DNSSEC.  The impact of DNSSEC will grow over time.  This may be one of the most important moments in the history of the Internet.  That said, this moment is embedded in a very long arc.  It’s taken twenty years to reach this point, starting with Steve Bellovin’s demonstration of cache poisoning and the early proposals for adding cryptographic signatures to DNS.  A very large number of people, working in a large number of places, have contributed.  There were false starts, technical challenges, controversies and long hard marches.  The large bulk of this work is not very well documented, and there is no place to go to find anything approximating the full story.  And this is still only the first part of the story.  There is a lot more work to be done.  Some of us are now fond of using Churchill’s famous words: This is not the end, this is not the beginning of the end, but it is the end of the beginning.

In addition to giving credit to those who have labored, there are potentially important lessons.

1. It is increasingly hard to modify existing protocols.  There is an enormous installed base, and there are large differences of opinion about what needs to be done and how to do it.  A history of DNSSEC can serve as guidance to others who may undertake similar modifications of existing protocols.

2. A related but distinct lesson concerns the realities of deployment.  The design of a protocol is one thing.  Actually getting it implemented, included in products and fielded is quite a bit more work.  As a community we have far less experience and very little organized structure for dealing with deployment issues.  The IETF is an excellent forum for documenting a design and reaching consensus on standards, but it generally doesn’t provide the same level of closure on operational issues.  There are multiple lessons on the difficulties in deployment to be learned so far from the DNSSEC effort, and I suspect not a few more yet to be learned.

3. The role of funding bodies is very important.  Significant extended funding by DARPA and DHS have been crucial.  Their role is often not well understood throughout the rest of the community.

4. In addition to funding agencies, the perseverance of key people and key organizations are crucial.  ISC, .SE, various Dutch groups, ISOC and others come to mind.

5. The global nature of this effort is worth emphasizing.