> On Oct 4, 2018, at 9:13 PM, Jo Rhett <***@netconsonance.com> wrote:
>
>> You’re entirely missing Michael’s point. DNSSEC is not a _treat_ that you dangle in front of universities, it’s an operational requirement for _the whole Internet_, of which your paying members are constituents. You’re denying _me_ the ability to use DNSSEC to validate addresses any time you prevent anyone from registering a DS record.
>
> What’s happening here is that you desire to not only continue to freeload when ARIN has spent decades trying to get you to play nice with others, but you want ARIN to create brand new services and then give those to you for free. You cannot claim operational impact when you have refused for 25 years to play by the rules.

I’m sorry, could you elaborate on each of those points?

How exactly am I freeloading, how am I not playing “nicely with others” or “by the rules,” and how am I not operationally impacted if there’s someone out there who’s not allowed to insert a DS record into a parent zone?

I eagerly await your answer.

-Bill

On Fri, Oct 5, 2018 at 12:13 AM Jo Rhett <***@netconsonance.com> wrote:
> What’s happening here is that you desire to not only continue to freeload when
> ARIN has spent decades trying to get you to play nice with others, but you
> want ARIN to create brand new services and then give those to you for free.

Every time the toxic arguments about legacy holders rear their head on
PPML I become more convinced that the legacy holdings should be forked
off to a distinct registry. Let legacy registrants sign a contract (or
not) which establishes no obligations on the registrant's part and buy
services (or not) as they choose. And let ARIN be ARIN without the
baggage.

As long as the legacy registrants are within ARIN, the fairness
question will remain unresolvable. It's not fair that modern
registrants face compulsions under an adhesion contract while older
registrants do not. Nor is it fair to expect older registrants to
accept an adhesion contract whose compulsive nature was not so much as
a gleam in anyone's eye when they joined the ranks of TCP/IP users.

Regards,
Bill Herrin


--
William Herrin ................ ***@dirtside.com ***@herrin.us
Dirtside Systems ......... Web: <http://www.dirtside.com/>
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-***@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact ***@arin.ne

> On 5 Oct 2018, at 3:52 pm, David Farmer <***@umn.edu> wrote:
>
>
> On Thu, Oct 4, 2018 based on the
> at 1:15 PM Bill Woodcock <***@pch.net> wrote:
> > On Oct 4, 2018, at 11:10 AM, John Curran <***@arin.net> wrote:
> > ARIN had been inconsistent in our approach to ... DNSSEC services over the years.
>
> There is no room for inconsistency in the application of security.
>
> You’re entirely missing Michael’s point. DNSSEC is not a _treat_ that you dangle in front of universities, it’s an operational requirement for _the whole Internet_, of which your paying members are constituents. You’re denying _me_ the ability to use DNSSEC to validate addresses any time you prevent anyone from registering a DS record.
>
> -Bill
>
> This is a complicated problem. DNSsec is about identity and is not merely a technical protocol. It requires that trust is built and maintained between the entities in the DNS tree, this trust is structured heretically so that everyone doesn't have to maintain trust with everyone else. Through this heretical structure, trust is built through validating and certifying the parties involved and this trust is then legally enshrined in contracts between the entities involved. The fact that the other parties in the tree have contracted with the entity higher in the tree, in this case, ARIN, is why you can trust them. Without those contracts, there is no way to enforce consequences for misbehavior and the trust will eventually be broken. The contracts are the basis for the trust needed by the system and without this trust, there is no need for the DNSsec protocol.

If ARIN will update/add NS records then they should update/ns DS records. THERE IS ZERO DIFFERENCE IN THE TRUST REQUIRED. DNSSEC does not magically require that you need
to do more diligence before making a change. If ARIN is willing to change NS records then
whatever requirements they have to permit that change is ALL they should need to permit DS
records to be changed.

> ARIN has to have contracts with all entities participating in DNSSec and RPKI through it for the schemes to work, even that may not be enough to for these schemes to work, but without that there is no way for these schemes to work.
>
> The financial issues are completely separate from why contracts are necessary. However, life sure is easier when everyone is paying their fair share, but in this case, I don't think fair needs to be an equal share.
>
> Thanks.
> --
> ===============================================
> David Farmer Email:***@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE Phone: 612-626-0815
> Minneapolis, MN 55414-3029 Cell: 612-812-9952
> ===============================================
> _______________________________________________
> ARIN-PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-***@arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact ***@arin.net if you experience any issues.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org

_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-***@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact ***@arin.net if you experience any issues.

On Fri, Oct 5, 2018 at 7:35 AM <***@uneedus.com> wrote:
> Just so I can get a prospective of how much money was lost for ARIN during
> this discussion, can someone please tell me what the current minimum cost
> under the current RSA for someone to hold 2 /24's? Five hundred a year
> seems to be the stated price, but I am unable to calculate it based on
> resources alone, which might be less.

$300/year as an "end user." Unless the 2 /24's are actually 1 /23, in
which case it's $150/year. If he also holds an AS number, that's an
additional $150/year.

$500/year is the ISP price which includes voting membership in ARIN.
That rate would cover both /24s and the AS number, so its $500 total
not $500 each.

See https://www.arin.net/fees/fee_schedule.html section "End Users
Paying Per Resource"

Regards,
Bill Herrin


--
William Herrin ................ ***@dirtside.com ***@herrin.us
Dirtside Systems ......... Web: <http://www.dirtside.com/>
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-***@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact ***@arin.net if you experience any issues.

On 5 Oct 2018, at 4:35 AM, ***@uneedus.com<mailto:***@uneedus.com> wrote:

Just so I can get a prospective of how much money was lost for ARIN during this discussion, can someone please tell me what the current minimum cost under the current RSA for someone to hold 2 /24's?

Albert -

ARIN registry users pay annual maintenance fees. These fees are set at $150/year/object in the database – an IPv4 address block is an object in the database, as is an IPv6 address block, as an AS number.

As of 1 July 2018, those who are legacy resource holders (i.e. a party or their legal successor that was issued resources prior to ARIN’s formation), have their total maintenance fees applicable to legacy resources capped at $125 USD annually, regardless of the number of legacy resources held under their LRSA. This amount is actually a decrease from previous years for many legacy holders, but it was important to get consistent fees for all (and note that the total cap for legacy holders can go up by $25 year if the Board so directs.)

So, presently an organizations with 2 distinct IPv4 /24 blocks would be invoiced at $300/year as an end user organizations, but legacy resource holders with the same resources would be invoiced $125 USD due to the cap.

Note also that end-user and legacy resource holder organizations may instead opt to be ARIN Registration Service Plan customers and just pay a single fee based on total resource holdings (the same annual fee as ISPs do), and this also includes the benefit of ARIN membership. This approach generally makes sense for organizations that have many objects in the database which total only a modest amount of address space.

The ARIN fee schedule is available here - https://www.arin.net/fees/fee_schedule.html – I hope this information helps to inform the discussion.

Thanks!
/John

John Curran
President and CEO
ARIN

> Just so I can get a prospective of how much money was lost for ARIN during this discussion

It doesn't matter how much money is lost. I never raised this point.

> I also note that at the time this holder received his resources, ARIN did not exist, nor was there any charge to receive resources and no discussion of any future charges for receiving numbers at the time when he received his numbers.

First, I'd like to say that this has been debated to death over the last two decades of ARIN's existence and every answer to your questions can be found in the archives. Oh look, here's a discussion about this exact topic A DECADE AGO where we went through the old forms in detail and nobody was able to document evidence that they were owed services: https://lists.arin.net/pipermail/arin-discuss/2008-October/001071.html

If you want to argue this fresh, start by filling up on two decades of this discussion. People significantly more knowledgeable than you have tackled this.

There have been above and beyond reasonable attempts to resolve all legitimate concerns, and all parties who had real issues with the contracts and services have resolved them and signed the contracts. Further, if he signed in 1993 then his contract says that it's governed by the laws of the US, and trust me there's laws about providing services, changes in services, etc etc and not a single one says you get to continue to receive services if you won't sign an updated contract. In fact you'll find considerably more precedence saying the opposite.

> The charges by ARIN were done after the fact, and is it really fair to impose a charge under these conditions? There seems to be 2 sides to this issue.

If he signed in 1993 as he said then he paid for "to coverf 2 years of charges" which is clear language that he may be expected to pay in the future.

Pro tip: Don't argue this with people who still have the original forms at hand.

--
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

I would be happy to see ARIN follow your advice IF I could take my
registrations elsewhere. However the DNS is, like it or not, a
natural monopoly. ARIN has avoided regulation thus far by honoring
the legacy holders assignments. I concur with Michael that enabling
DNSSEC support for legacy holders is something new, but maintains the
cohesion across the DNS, which is a critical component for workable
DNS.

As usual, YMMV. I'm persuaded that ARIN if ARIN offers DNSSEC for any
registrants, it should offer DNSSEC to all registrants. Contracts
are good, but ARIN has never had or expected 100% of its clients to be
contractually bound to ARIN. ARIN knew this when it was established
and nothing, fundamentally, has changed.

/Wm
Ex ARIN board member, One of the first LSRA signers, DNSSEC early
adopter, now mostly retired.



On 10/6/18, Jo Rhett <***@netconsonance.com> wrote:
>>> ARIN has real issues to deal with, and the hundred or so resource holders
>>> who want to keep stealing the time and effort of everyone involved in
>>> ARIN for their little pity party should go away.
>
>
> On Oct 5, 2018, at 1:35 AM, John Santos <***@egh.com> wrote:
>> With all due respect, you don't know what you are talking about.
>
> I know in great technical depth what I am talking about. However your
> statement here proves how little you know. I don't challenge your
> competence. Be respectful.
>
>> You are attributing motives to me and other legacy holders, that are
>> completely false and possibly libelous.
>
> I don't know and haven't spoken to your motives. I am speaking to your
> request for services delivered without a contract. I encourage you to sue me
> for libel, since you apparently know so little about the topic you haven't
> even read the description of it. Don't threaten an intelligent,
> knowledgeable person with nonsense.
>
>> Received my class C from the InterNIC in 1993. Don't need any more, just
>> need RDNS and am happy to provide POC validation annually, and update my
>> POC records every decade or two when things change, but otherwise require
>> almost nothing from ARIN, so I don't see how I am a "freeloader".
>
> "I want all these services, administrative, technical, and online
> services... for free, without a contract, without supplying a penny." -- how
> are you not a freeloader?
>
> Also note that InterNIC had a contract, and it definitely never offered free
> access to any and all future services not described. You have no basis for
> getting unending free service without a contract. You've had 25 years to do
> the right thing, ARIN is old enough to not only vote but have finished a
> tour in the armed services (far too appropriate a metaphor here) and you
> can't bring yourself to sign a contract for services? They should stop
> serving you. Full stop.
>
> --
> Jo Rhett
> Net Consonance : net philanthropy to improve open source and internet
> projects.
>
>
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-***@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact ***@arin.net if you experience any issues.

I don't wish to beat a dead horse but the InterNIC didn't have a contract. I still have all of the paperwork I got from them them in the early 90s, and I posted it in this forum for everyone to see several years ago. They basically just asked some questions like what do u want to use the Internet for and then issued me a Class C. As I said the horse is out of the barn on this a long time ago so I don't wish to fight about it. I would add the the National Science Foundation along with others funded the Internet using federal tax money. Even though it was a very small percentage of everyone's federal tax money that was used by the NSF, you can't say that the resources everyone got before ARIN was formed were completely free. My two cents.

Sent from my iPhone

On Oct 6, 2018, at 2:59 PM, Jo Rhett <***@netconsonance.com<mailto:***@netconsonance.com>> wrote:

ARIN has real issues to deal with, and the hundred or so resource holders who want to keep stealing the time and effort of everyone involved in ARIN for their little pity party should go away.

On Oct 5, 2018, at 1:35 AM, John Santos <***@egh.com<mailto:***@egh.com>> wrote:
With all due respect, you don't know what you are talking about.

I know in great technical depth what I am talking about. However your statement here proves how little you know. I don't challenge your competence. Be respectful.

You are attributing motives to me and other legacy holders, that are completely false and possibly libelous.

I don't know and haven't spoken to your motives. I am speaking to your request for services delivered without a contract. I encourage you to sue me for libel, since you apparently know so little about the topic you haven't even read the description of it. Don't threaten an intelligent, knowledgeable person with nonsense.

Received my class C from the InterNIC in 1993. Don't need any more, just need RDNS and am happy to provide POC validation annually, and update my POC records every decade or two when things change, but otherwise require almost nothing from ARIN, so I don't see how I am a "freeloader".

"I want all these services, administrative, technical, and online services... for free, without a contract, without supplying a penny." -- how are you not a freeloader?

Also note that InterNIC had a contract, and it definitely never offered free access to any and all future services not described. You have no basis for getting unending free service without a contract. You've had 25 years to do the right thing, ARIN is old enough to not only vote but have finished a tour in the armed services (far too appropriate a metaphor here) and you can't bring yourself to sign a contract for services? They should stop serving you. Full stop.

--
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-***@arin.net<mailto:ARIN-***@arin.net>).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact ***@arin.net<mailto:***@arin.net> if you experience any issues.

The reason that this issue is so difficult is the funding model of DNS has
changed over the years, and the formation of ARIN has never completely
addressed that issue.

In the beginning days, DNS was in fact a large shared host file, installed
on every machine. In effect, the cost of adding hosts to the shared file
was indirectly paid by the public entity that was paying the salary of
those that maintained the host file, and the downloading and local costs
were borne by each node.

When port 53 DNS was established, costs were distributed among all
connected nodes because each connected network needed to have at least 2
DNS servers connected to the network. There was some central
administration involved, but that was paid by taxes or grants and not
directly by the holder.

At the time the original poster received his resources, there was no
charge for receiving numbering resources, and grants and other government
funding was paying for the reverse DNS function, and the individual
resource holder was not charged, nor was there any contract for the
reverse dns. The resource holder was responsible for providing 2 or more
dns servers, and the maintainer of the reverse zone would point to those
servers, and the remainder of the cost and responsibility for the dns
servers was borne by the resource holder.

The discussion of NetSol obtaining the contract, and the charge for a 2
year period had to do with domain names, not numbering resources. If the
holder wanted domain names, they could be obtained from NetSol, or from
other registries if eligible such as .edu or .us. These fees did not go
toward numbering resources. In the very beginning, these were also free.

Before ARIN, the reverse zone was provided via Internic, which I believe
was publically funded. Currently the .arpa zone used for reverse DNS in
IPv4 is operated by Verisign GRS under contract to IANA. Each of the
reverse zone /8s of the internet are in turn delegated to the holder of
that /8, which is either one of the RIR's or the legacy holder of that /8.
This is why these legacy holders holding an /8 can get DNSSEC to work
regardless of the wishes of ARIN, since ARIN is not in the chain of trust,
and therefore has no control whatsoever over this issue.

Those legacy holders with less than an /8 have ARIN in the trust path for
DNSSEC and cannot receive DNSSEC (or RPKI) without the involvment of ARIN.
As to the total /24's shown in the chart, I suspect that the greatest
majority in total number of /24's are part of legacy /8's, who quite
frankly have legal teams that tell them not to sign an (L)RSA, since that
might take away commercial rights that they might have in the resources.

The term "freeloader" is a loaded term and as pointed out this discussion
has been going on unresolved since the formation of ARIN. It could be
also be argued that those receiving number resources prior to ARIN when
charges were not being made have a valid point. Along comes ARIN, who
wants to tax/charge/fee the resource holder for services that were never
directly charged for prior to ARIN, and they do not consider this to be
right, since they never had any kind of agreement with ARIN.

The basic problem from the smaller than /8 legacy holder prospective is
that IANA has delegated the reverse /8 containing their legacy resources
to ARIN, injecting ARIN in the middle of this. It is not possible
therefore to get DNSSEC or any other DNS service on the reverse zone
working without ARIN's help. One could say that this was done without the
"permission" of the resource holder at the time. ARIN's website states
"At its formation, the ARIN Board of Trustees decided that ARIN would
provide registration services for these legacy number resources without
requiring the original resource holders to enter into a registration
services agreement or pay service fees." I suspect this was done to avoid
an issue with the legacy holders, who at the time of ARIN formation likely
controled a majority of the assigned numbering space and could have caused
quite a stink for ARIN over any charges.

I personally think the fee schedule needs to charge larger resource
holders much more than the small resource holder. Looking at the fee
chart, if I hold a single /24, the least I will pay is $150/year. If I opt
to become a member, I am 3 X small and pay $250/year. If I am a large
player and hold a /8 (65536 /24's), I am 3 X large and pay $64,000/year
for membership. That is only 98 cents per /24, compared to the small
player that gets to pay either $150 or $300 per year. At the very top of
the chart, that becomes 48 cents per /24 if I hold a /5 (larger than a
/6). While efforts have been made to increase fees to larger players, it
is still not distributed evenly based on a per resource basis.

Based upon the rates per /24 charged to larger players, that "freeloader"
is costing ARIN $2/year or less. On the other hand, DNSSEC does benefit
the security of the ENTIRE community, including those in other RIR
regions. While many at ARIN and elseware do not like providing those
"free" services to those legacy holders, DNSSEC is a benefit to ALL the
community. Since IANA runs the root of the .arpa reverse zone, maybe
costs should be funded by IANA and their 18 cent domain tax.

The amount of true cost for small players is in my opinion higher than the
cost of collection of a fair fee of $1 or less per /24 per year. Remember,
these small players include not only the original poster, but other
organizations including Berea College (BEREAC), a college with a billion
dollar endowment, who clearly would appear from ARIN's prospective to able
to afford a membership, but also choose to be a "freeloader". They hold
but a single legacy /24, and choose instead to use their resources to
provide tuition free education to their entire student body rather than
paying annually for an ARIN membership.

I do not know what will be the answer, or if this will ever be solved
until IPv6 becomes the primary transport on the internet. I think the
price of IPv4 resources will be like a bell curve, and we will start
seeing the price of IPv4 blocks start to sink once IPv6 becomes the
primary transport. How many years before this happens, I do not know.

Albert Erdmann
Network Administrator
Paradise On Line Inc.


On Sat, 6 Oct 2018, Jo Rhett wrote:

> On Oct 6, 2018, at 12:47 PM, Lee Dilkie <***@dilkie.com> wrote:
>> On 2018-10-05 00:40, Jo Rhett wrote:
>>> Refusing to authenticate resources used by holders who cannot be validated is a feature, not a bug.
>>
>> And validation of a resouce holder isn't the same thing as holding an RSA contract. Let's be clear about that, they are different issues.
>
> No entity, even government entities, are required to provide services to people who won't sign the current service agreement.
>
> --
> Jo Rhett
> Net Consonance : net philanthropy to improve open source and internet projects.
>
>
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-***@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact ***@arin.net if you experience any issues.