DHS Wants Master Key for DNS 266
An anonymous reader writes "At an ICANN meeting in Lisbon, the US Department of Homeland Security made it clear that it has requested the master key for the DNS root zone. The key will play an important role in the new DNSSec security extension, because it will make spoofing IP-addresses impossible. By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort. There's a further complication, of course, because even 'if the IANA retains the key ... the US government still reserves the right to oversee ICANN/IANA. If the keys are then handed over to ICANN/IANA, there would be even less of an incentive [for the U.S.] to give up this role as a monitor. As a result, the DHS's demands will probably only heat up the debate about US dominance of the control of Internet resources.'"
DNSSec (Score:5, Informative)
No. It secures DNS. So you cant spoof domain names. It secures that the DNS Server is authorative so the DNS query was answered right. If somebody spoofes an IP in your network, you won't be saved.
Subby failed reading comprehension (Score:5, Informative)
Re:Multiple keys (Score:3, Informative)
The result is that instead of computers being configure to trust a single root zone key from IANA, it is likely that every ccTLD will have its own key, and that the standard configuration of DNS as shipped with an OS or distribution will contain the public keys or hashes for every one of them. This is arguably a good thing.
Note that few if any OS distributions come configured to support secure DNS and verify signed DNS records.
Re:DNSSec (Score:3, Informative)
It is a joke, you just forgot the punchline! (Score:0, Informative)
Other than it won't work because all the important *.microsoft.com sites are hardcoded into Windows.
Re:wtf! (Score:1, Informative)
DNS Trust Anchors (how to trust who you trust) (Score:3, Informative)
But, DNSSEC does provide every zone owner with the ability to hold a very special key so that no one else may be able to spoof stuff in their zone. Everyone would want to trust
But here's the secret: if you don't trust the root zone owners, then instead you can choose to set trust anchors tied to the
Here's an interesting proposal for the root zone: pick two countries that hate each other and are likely to never have the same agenda. Let's call them X and Y. Give each of these countries a root key, and make the root zone use and publish results from both of them. Then, you could configure trust anchors pointing to both the X and Y keys. You could configure your system to make sure to check the DNSSEC results to validate the information up to both of these keys. That way you could ensure that since you trusted X and Y to never conspire against you together, and you would know that neither X or Y alone could have spoofed DNS data then you suddenly find yourself safe. Because of the distrust. I love the irony.
(now: you don't want to have a zillion keys for the roots... The packet sizes get larger as you add more keys, and it turns out you probably don't want more than 3 at most).
Re:out of control (Score:1, Informative)
Um... Not. I don't see how this would increase the number of 'unauthorized' people able to access the key. It would affect what group decides who is 'authorized'. But whatever group does control the key would want to restrict access to a minimal number of people (you'd only technically need one, really, although you'd realistically want several for vacations, shifts, retirement, etc...)
The owner of the root key signing key would not have any special powers to break into your computer or your communications. They would just sign the root zone keys. We already trust the root zones to give tho correct IP's for TLDs. We already have the root zone IP's on the Domain Servers we are using. Once signed, the root key signing key holder wouldn't be able to tell you that a certain root was bad until that record expired (and then just by not signing a new record).
You would still be trusting the current root zones, current TLD's, and whichever subdomains you are visiting. Further, you don't have to use secure DNS. You could just keep doing lookups like you've always done with DNS without caring about the signatures. You'd be trusting the same people you're trusting today (i.e. zone hierarchy and local network hosts and upstream network hosts) and have the same trust in the IP addresses coming back.
But, with secuer DNS, the guy next to you at your coffee house or your next door neighbor that shares your cable network connection will not be able to tell you that www.yourbank.com is his IP address. The root key signing key holder won't be able to do this either. The worst they could do is not re-sign a root zone server (this could cause political/bureaucrat BS, but not break your computer). The root zone server could mess with you (they can now), the TLD server could mess with you (they can now), the subdomain server could mess with you (they can now). Your trust would be in the current zone hierarchy but no longer everyone on your local network and upstream of you.