So what if Uncle Sam signs the DNSSEC root?

| Comments (7) | DNS
There's currently a fair amount of angst about DHS's desire to control the root key for DNSSEC:
The US Department of Homeland Security (DHS), which was created after the attacks on September 11, 2001 as a kind of overriding department, wants to have the key to sign the DNS root zone solidly in the hands of the US government. This ultimate master key would then allow authorities to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system's root zone on the Internet. The "key-signing key" signs the zone key, which is held by VeriSign. At the meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) in Lisbon, Bernard Turcotte, president of the Canadian Internet Registration Authority (CIRA) drew everyone's attention to this proposal as a representative of the national top-level domain registries (ccTLDs).

(See for instance this /. thread:

"At an ICANN meeting in Lisbon, the US Department of Homeland Security made it clear that it has requested the master key for the DNS root zone. The key will play an important role in the new DNSSec security extension, because it will make spoofing IP-addresses impossible. By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort [As usual, people on /. seem a little confused about how the Internet works. Needless to say, being able to spoof DNSSEC doesn't let you spoof IPs, nor is being able to spoof DNS queries that much use in breaking into people's computers these days. -- EKR]. There's a further complication, of course, because even 'if the IANA retains the key ... the US government still reserves the right to oversee ICANN/IANA. If the keys are then handed over to ICANN/IANA, there would be even less of an incentive [for the U.S.] to give up this role as a monitor. As a result, the DHS's demands will probably only heat up the debate about US dominance of the control of Internet resources.'"

This is all kind of scary sounding, but it's really a lot less of a big deal than it's made out to be. The basic thing you need to remember is that DNS is a hierarchical system and that DNSSEC follows the hierarchy. Thus, the key in question signs the root zone (or rather the key for the root zone) which just contains the name servers and the keys for the TLDs (.com, .org, .net, .us, etc. The information for your domain (or at least the key for your domain if you had one) would be signed by those keys. So, for instance, they key for educatedguesswork.org would be signed by the key for .org, which itself would be signed by the root zone key.

So, let's say that DHS wanted to forge the address (A) record for educatedguesswork.org. They'd have to sign a fake root zone with a new key for .org and make a parallel tree all the way down to educatedguesswork.org. Since those fake records will end up in people's DNS caches this is not likely to go entirely unnoticed if it happens at all often. Moreover, it's not clear exactly what use spoofing records for someone else's domain would do for you. Because of the slow deployment of DNSSEC and end-to-end IPsec applications which want cryptographic authentication of Internet peers use TLS and X.509 certificates. If you manage to reroute DNS, all that happens is that they get to the wrong host and then the TLS certificate check fails. Now, you can certainly argue that people are lax about certificate errors, but you should expect them to be even more lax about DNSSEC errors, especially since most people aren't prepared to validate DNSSEC at all.

In theory, of course, controlling the root zone signing key means that DHS could completely hijack some large section of the domain space. They'd get court orders or otherwise compel some fraction of the root servers to point to their new parallel zone and sign the records with the top-level key. But of course as soon as this got out, people would most likely program their verifiers to ignore signatures from that key and use whatever zone data was in effect before DHS got involved. And of course why bother with anything so technical? The data in the DNS just reflects whatever assignments ICANN and IANA have made. Both organizations are located in the US, so if DHS wants to hijack some zone, they just force ICANN/IANA to reassign the zone and then whoever does the signatures would presumably sign the new data. Of course, you could say people wouldn't accept this, but then why would you believe that they would accept signatures that didn't reflect ICANN/IANA's assignments?

None of this is to say that DHS controlling the root zone wouldn't be symbolically badly received, but that's mostly what it would be, symbolic.

7 Comments

Which begs the question, why would DHS want to get hold of the key?

I'm not sure that a domain hijack would result in a fork anywhere near as quickly as you claim. As I understand it, if the government wishes to replace a web site with one of its own choosing, and it does so by domain hijack, they can affect that domain alone by creating a parallel root with otherwise identical information, and that website can then be manipulated with very little collateral damage. If it's someone's personal site, nobody with any pull is likely to notice. If they have the master DNSSEC key, this can be done whether or not ICANN goes along with reassigning the zone, which may not be anywhere near as legally trivial as you make it sound.

Of course this doesn't solve the problem of all the root servers that can't be controlled, or the fact that DNSSEC isn't widely enough deployed to generate much faith in it, but perhaps DHS is simply working on one problem at a time. Or am I fundamentally misunderstanding the mechanics?

The simpler explanation may be that the DHS has roughly the same amount of understanding of the internet as /. and thus it believes that it's getting something much more than it is.

Still, I think the question should be asked the other way around: what possible beneficial effect could be obtained from DHS controlling the root key? If there is none, given that it is the DHS, perhaps should be assumed that someone is planning to use the key for evil, whether or not they have all the pieces they need to do so. If each piece that they obtained is individually disregarded as insufficient to cause harm, a much larger risk may go unseen until it is difficult to counter.

The problem is that you can't just make everything the same. ICANN will control . but in order to change educatedguesswork.org they need to control .org. This involves replacing .org, which people would notice.

As for why DHS wants this? I suspect they don't trust any of the other players to handle the key responsibly and believe that they themselves will.

My question is, why would people notice that .org has been changed, if DHS is mirroring .org except for a couple minor changes? Or is this fundamentally impossible for some technical reason I'm not aware of?

Perhaps DHS just wants to make sure that a signed root is eventually deployed? It's not that a lot of parties are eager to own that key, it seems.

I agree with Eric that DHS's motives are likely primarily defensive rather than offensive. As he pointed out, ownership of the DNSSEC root key is unlikely to be useful for spoofing. But it would make a dandy Internet-scale DoS tool, and that's the kind of thing DHS is supposed to be worrying about.

In addition to wanting to ensure the confidentiality of the key, DHS may also be concerned that a different owner might be lax about putting into place rapid recovery procedures to be triggered in the event of, say, a TLD compromise.

Remember a few years ago when Verisign decided it would be a great idea to redirect all HTTP requests to unresolvable domains to their domain-registration spam site? History suggests that DNS administration may be one of the few areas in which the government of the United States may in fact be less overtly corrupt than the private-sector alternatives.

Leave a comment