DNS: March 2007 Archives


March 31, 2007

There's currently a fair amount of angst about DHS's desire to control the root key for DNSSEC:
The US Department of Homeland Security (DHS), which was created after the attacks on September 11, 2001 as a kind of overriding department, wants to have the key to sign the DNS root zone solidly in the hands of the US government. This ultimate master key would then allow authorities to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system's root zone on the Internet. The "key-signing key" signs the zone key, which is held by VeriSign. At the meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) in Lisbon, Bernard Turcotte, president of the Canadian Internet Registration Authority (CIRA) drew everyone's attention to this proposal as a representative of the national top-level domain registries (ccTLDs).

(See for instance this /. thread:

"At an ICANN meeting in Lisbon, the US Department of Homeland Security made it clear that it has requested the master key for the DNS root zone. The key will play an important role in the new DNSSec security extension, because it will make spoofing IP-addresses impossible. By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort [As usual, people on /. seem a little confused about how the Internet works. Needless to say, being able to spoof DNSSEC doesn't let you spoof IPs, nor is being able to spoof DNS queries that much use in breaking into people's computers these days. -- EKR]. There's a further complication, of course, because even 'if the IANA retains the key ... the US government still reserves the right to oversee ICANN/IANA. If the keys are then handed over to ICANN/IANA, there would be even less of an incentive [for the U.S.] to give up this role as a monitor. As a result, the DHS's demands will probably only heat up the debate about US dominance of the control of Internet resources.'"

This is all kind of scary sounding, but it's really a lot less of a big deal than it's made out to be. The basic thing you need to remember is that DNS is a hierarchical system and that DNSSEC follows the hierarchy. Thus, the key in question signs the root zone (or rather the key for the root zone) which just contains the name servers and the keys for the TLDs (.com, .org, .net, .us, etc. The information for your domain (or at least the key for your domain if you had one) would be signed by those keys. So, for instance, they key for educatedguesswork.org would be signed by the key for .org, which itself would be signed by the root zone key.

So, let's say that DHS wanted to forge the address (A) record for educatedguesswork.org. They'd have to sign a fake root zone with a new key for .org and make a parallel tree all the way down to educatedguesswork.org. Since those fake records will end up in people's DNS caches this is not likely to go entirely unnoticed if it happens at all often. Moreover, it's not clear exactly what use spoofing records for someone else's domain would do for you. Because of the slow deployment of DNSSEC and end-to-end IPsec applications which want cryptographic authentication of Internet peers use TLS and X.509 certificates. If you manage to reroute DNS, all that happens is that they get to the wrong host and then the TLS certificate check fails. Now, you can certainly argue that people are lax about certificate errors, but you should expect them to be even more lax about DNSSEC errors, especially since most people aren't prepared to validate DNSSEC at all.

In theory, of course, controlling the root zone signing key means that DHS could completely hijack some large section of the domain space. They'd get court orders or otherwise compel some fraction of the root servers to point to their new parallel zone and sign the records with the top-level key. But of course as soon as this got out, people would most likely program their verifiers to ignore signatures from that key and use whatever zone data was in effect before DHS got involved. And of course why bother with anything so technical? The data in the DNS just reflects whatever assignments ICANN and IANA have made. Both organizations are located in the US, so if DHS wants to hijack some zone, they just force ICANN/IANA to reassign the zone and then whoever does the signatures would presumably sign the new data. Of course, you could say people wouldn't accept this, but then why would you believe that they would accept signatures that didn't reflect ICANN/IANA's assignments?

None of this is to say that DHS controlling the root zone wouldn't be symbolically badly received, but that's mostly what it would be, symbolic.


March 30, 2007

ICANN has decided not to issue .xxx. Stuart Lawley from ICM does not look that happy about it:

ICANN Board member Susan Crawford is also unhappy:

"No centralized authority should set itself up as the arbiter of what people may do together online," Ms. Crawford said in a statement to the board, adding that political pressures played an undue role. "This is not a technical stability and security question."

I mostly agree that this isn't a technical stability question. As far as the DNS is concerned, there's nothing special about the string .xxx, after all. As far as security goes, the only way in which this would be special would be if ICANN intended to monitor that ICM was enforcing the somewhat vague conditions that were proposed for the domain. That's easily fixed by not doing so. That said, the bit about "no centralized authority" being an "arbiter of what people may do together online" is a bit hard to understand, since that's more or less ICANN's reason for existence. Once we've decided that we're going to issue more TLDS and we're not going to do it in a mechanical fashion (first come/first served, auction, etc.), you're pretty much left with some sort of centralized arbiter, which is what ICANN is. This isn't to say that one can't object to the decisions ICANN has made or the way it makes them, but that's different from having a principled objection to them making such decisions in the first place (not that one can't object to that as well...)