DHS Wants Master Key for DNS 266
An anonymous reader writes "At an ICANN meeting in Lisbon, the US Department of Homeland Security made it clear that it has requested the master key for the DNS root zone. The key will play an important role in the new DNSSec security extension, because it will make spoofing IP-addresses impossible. By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort. There's a further complication, of course, because even 'if the IANA retains the key ... the US government still reserves the right to oversee ICANN/IANA. If the keys are then handed over to ICANN/IANA, there would be even less of an incentive [for the U.S.] to give up this role as a monitor. As a result, the DHS's demands will probably only heat up the debate about US dominance of the control of Internet resources.'"
Another "Internet" (Score:2, Interesting)
Which is worse? (Score:2, Interesting)
Honestly...
Should U.S. DHS be trusted? (Score:5, Interesting)
Routing and private keys? (Score:4, Interesting)
In any case my boxes don't give access to just the IP address, they give access based on private keys, DNS, and the IP address. Another case of government technical cluelessness thinking that the master key unlocks ALL DA COMPUTORS IN DA VERLD?
Re:The crucial signing key is for Windows Update (Score:1, Interesting)
No, it's not a joke. (Score:5, Interesting)
If you can force a Windows Update cycle, you can change the hard-coded values. Microsoft Update can patch any part of the OS and can force a reboot. (A reboot can be forced on any machine with updates turned on, even if auto reboot is supposedly turned off.)
If you can make changes to DNS, you can change the IP address for "the important *.microsoft.com sites", redirecting the updates to an attack site.
So possession of both of those keys gives full control of all Windows Update enabled clients.
This could get complicated (Score:3, Interesting)
Now, imagine if ISPs or countries worldwide could choose which set of root servers to use. Imagine if ISPs and governments in freer countries could allow their customers to choose their own root if they so desired.
Now imagine a world where ISPs and customers in totally free countries compare results from all available sets of root servers, look for inconsistencies, and if there is an inconsistency, check with the authoritative nameserver for the domain as reported by whois. If the DNS lookup for the whois server was not consistent then it will be handled as an exceptional case: The end-user will get a result that might or might not be correct and technicians will be alerted so they can figure out what the real IP addresses of the whois server are.
You know... (Score:5, Interesting)
Now, though, I'm starting to see where I went wrong. I was assuming that the government of the United States could never be as fucked up as the one in, say, China. I was being horribly short-sighted. I should have known that this kind of shit was only a matter of time.
So how much worse could letting the U.N. have control of ICANN be than something like this? I say fuck it. Let them have it, and give it some independent oversight. For the life of me, I cannot believe that I am actually looking to foreign nations to ensure the neutrality and openness of the Internet, but there you have it.
root keys and Ultimate Power (Score:2, Interesting)
It's either that or coming up with a way of keeping such information outside of the hands of a foreign power (the USA is a foreign power from my country. Not an enemy by any hands at this time... but it has been).
Re:You know... (Score:5, Interesting)
Re:Incentive for alternative roots (Score:4, Interesting)
God, it sounds like the exact same ideas that the USSR had running puppet governments in the other Soviet States.
Re:You know... (Score:3, Interesting)
Irrelevant. No one country should have control of a global resource. Even ignoring the potential for abuse, global resources should be managed globally, it's as simple as that.
I cannot believe that I am actually looking to foreign nations to ensure the neutrality and openness of the Internet
Yeah, because us dirty foreigners don't even know how to spell "freedom", let alone have any respect for it.
Re:Incentive for alternative roots (Score:2, Interesting)
Our country has many exciting oppertunities and yet they are being stripped from us because of our government is pushing other countries away from our trust by trying to institue messure that they have *no* constitutional right or global right in doing. Making laws with out the correct due process, without checks and balance. This is not a correct process of allowing such a decission to be addressed. The people in America are the governing voice via the constition, bill of rights and declaration of indepencence for the laws of the land, unfortunately our people are to lazy and content in believing what the news tells them. Unfortunatley when they recongnize the truth and the consquences of the government taking power not reserved for them, it will be late in the game.
As far as the US powers trying to take control of the master keys for DNS, this is just another assertion of their direct disobedience of established law in the United States and other countries.
All the years of estabishing this great thing we of this world call the internet, the same institution people and citizens of every nation enjoy on a daily basis could be dismantled because of these type of haphazard attempts to secure things they believe should be in their grasp. At the cost of possibly causing hardships between trusting nations. Why try to implement plans that would possibly destroy a major source(s) of revenue, communication(s), commerce, and avalibility in the name of security (which isn't theirs to take in the first place, and they won't be able to secure it, only be able to leveage the avalibility to monitor it. Once again something that is not constitutional or ethical.).
This is not an answer to securing America or any country (only creates more distrust between nations), you can find many other ways to get more secure, monitor and get accurate ways to protect all nations then jeperdizing free enterprise and the internet as a whole.
Re:DNSSec (Score:5, Interesting)
Now, a DNS system that was largely immune to DoS attacks, that would be useful. That's the real problem we face with DNS. But dnssec doesn't help with that at all.
Re:DNSSec (Score:2, Interesting)