DHS Wants Master Key for DNS

An anonymous reader writes "At an ICANN meeting in Lisbon, the US Department of Homeland Security made it clear that it has requested the master key for the DNS root zone. The key will play an important role in the new DNSSec security extension, because it will make spoofing IP-addresses impossible. By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort. There's a further complication, of course, because even 'if the IANA retains the key ... the US government still reserves the right to oversee ICANN/IANA. If the keys are then handed over to ICANN/IANA, there would be even less of an incentive [for the U.S.] to give up this role as a monitor. As a result, the DHS's demands will probably only heat up the debate about US dominance of the control of Internet resources.'"

Another "Internet"

[bogaboga]

How feasible is it for we in the rest of the world to create "another Internet" and leave the current one with the US government? I can see major powers like China and Russia in support of this measure. But is it even possible?

Which is worse?

[FMota91]

The fact that the US Government wants this key, or the fact that it has requested it publicly?

Honestly...

Should U.S. DHS be trusted?

[Anonymous Coward]

Should U.S. DHS be trusted?

• Election staff convicted in recount rig in Ohio 2004 presidential election that gave President Bush the electoral votes he needed to defeat Democratic Sen. John Kerry [federalnewsradio.com]
  
  
• Bush signs landmark executive order increasing White House power over federal agencies [rawstory.com]
  
  
• Bush's Signing Statement Dictatorship [lewrockwell.com]
  
  
• Senator asks Bush to explain signing statement that gives President authority to open mail without warrant [rawstory.com]
  
  
• Bush Moves Toward Martial Law [informatio...ration.com]
  
  
• US Attorney General Questions the Right to a Fair Trial [baltimorechronicle.com]
  
  
• The White House is replacing U.S. Attorneys throughout the country [tpmmuckraker.com]
  
  
• Attorneys for the District of Columbia argue that the Second Amendment right to bear arms applies only to militias, not individuals [prisonplanet.com]
  
  
• U.S. citizens to be required "clearance" to leave the United States [blogspot.com]
  
  
• plenty more, regretfully...
  
  

Routing and private keys?

[pashdown]

I've always thought IP spoofing is a weak attack due to routing and ingress filters. Any network worth its salt will block its own addresses from coming in from the outside, but nevertheless routing has to return the TCP ack back to the proper AS#. How does DNSSec override these precautions?

In any case my boxes don't give access to just the IP address, they give access based on private keys, DNS, and the IP address. Another case of government technical cluelessness thinking that the master key unlocks ALL DA COMPUTORS IN DA VERLD?

Re:The crucial signing key is for Windows Update

[Anonymous Coward]

Does this mean that pirated copies of Windows are in fact more secure?

No, it's not a joke.

[Animats]

If you can force a Windows Update cycle, you can change the hard-coded values. Microsoft Update can patch any part of the OS and can force a reboot. (A reboot can be forced on any machine with updates turned on, even if auto reboot is supposedly turned off.)

If you can make changes to DNS, you can change the IP address for "the important *.microsoft.com sites", redirecting the updates to an attack site.

So possession of both of those keys gives full control of all Windows Update enabled clients.

This could get complicated

[davidwr]

Imagine if there were 2 or more sets of "root" servers which were by and large identical. One under the thumb of the USA and one run by the international community, and maybe one set run by each repressive regime on the planet, e.g. China. All would get authoritative data from domain registrars just like the current root. All would be open to "controlled poisoning" by those who held the keys.

Now, imagine if ISPs or countries worldwide could choose which set of root servers to use. Imagine if ISPs and governments in freer countries could allow their customers to choose their own root if they so desired.

Now imagine a world where ISPs and customers in totally free countries compare results from all available sets of root servers, look for inconsistencies, and if there is an inconsistency, check with the authoritative nameserver for the domain as reported by whois. If the DNS lookup for the whois server was not consistent then it will be handled as an exceptional case: The end-user will get a result that might or might not be correct and technicians will be alerted so they can figure out what the real IP addresses of the whois server are.

You know...

[FunWithKnives]

When the story first broke about other nations wanting an independent international body to oversee the root servers and such, I was completely against it. It sounded to me like another pointless stance by the U.N., compounded by the fact that the ARPANet was invented and fleshed out here in the U.S. Not to mention the few unsavory members of the U.N. that would end up with some say as to the future of the Internet.

Now, though, I'm starting to see where I went wrong. I was assuming that the government of the United States could never be as fucked up as the one in, say, China. I was being horribly short-sighted. I should have known that this kind of shit was only a matter of time.

So how much worse could letting the U.N. have control of ICANN be than something like this? I say fuck it. Let them have it, and give it some independent oversight. For the life of me, I cannot believe that I am actually looking to foreign nations to ensure the neutrality and openness of the Internet, but there you have it.

root keys and Ultimate Power

[Teunis]

Maybe it's time to start working up an alternative to DNS zones?

It's either that or coming up with a way of keeping such information outside of the hands of a foreign power (the USA is a foreign power from my country. Not an enemy by any hands at this time... but it has been).

Re:You know...

[DaMattster]

I definitely agree with you there and I am a U.S. Citizen. At this point, I think by making ICANN and IANA independent of U.S. control we are safeguarding our own rights what with the wild abuses of the Patriot Act, the FBI, and the Department of Homeland Security. I hope ICANN doesn't capitulate. ICANN shouldn't give them shit.

Re:Incentive for alternative roots

[snowgirl]

Ah... the joys of the americo-centric viewpoint. Forget your own sovereigncy, it's probably too much for you to deal with anyways. Just let the US do it all for you.

God, it sounds like the exact same ideas that the USSR had running puppet governments in the other Soviet States.

Re:You know...

[Tim C]

I was assuming that the government of the United States could never be as fucked up as the one in, say, China

Irrelevant. No one country should have control of a global resource. Even ignoring the potential for abuse, global resources should be managed globally, it's as simple as that.

I cannot believe that I am actually looking to foreign nations to ensure the neutrality and openness of the Internet

Yeah, because us dirty foreigners don't even know how to spell "freedom", let alone have any respect for it.

Re:Incentive for alternative roots

[Shadowfire3000]

Our country has many exciting oppertunities and yet they are being stripped from us because of our government is pushing other countries away from our trust by trying to institue messure that they have *no* constitutional right or global right in doing. Making laws with out the correct due process, without checks and balance. This is not a correct process of allowing such a decission to be addressed. The people in America are the governing voice via the constition, bill of rights and declaration of indepencence for the laws of the land, unfortunately our people are to lazy and content in believing what the news tells them. Unfortunatley when they recongnize the truth and the consquences of the government taking power not reserved for them, it will be late in the game.

As far as the US powers trying to take control of the master keys for DNS, this is just another assertion of their direct disobedience of established law in the United States and other countries.

All the years of estabishing this great thing we of this world call the internet, the same institution people and citizens of every nation enjoy on a daily basis could be dismantled because of these type of haphazard attempts to secure things they believe should be in their grasp. At the cost of possibly causing hardships between trusting nations. Why try to implement plans that would possibly destroy a major source(s) of revenue, communication(s), commerce, and avalibility in the name of security (which isn't theirs to take in the first place, and they won't be able to secure it, only be able to leveage the avalibility to monitor it. Once again something that is not constitutional or ethical.).

This is not an answer to securing America or any country (only creates more distrust between nations), you can find many other ways to get more secure, monitor and get accurate ways to protect all nations then jeperdizing free enterprise and the internet as a whole.

Re:DNSSec

[asuffield]

Fortunately we don't have to. There is no need for any such central root authority, which is precisely why dnssec has gained no traction at all - it solves no problems that we actually face. The status quo (security applied end-to-end at the application level) is not only adequate, it's better than dnssec because there's no central source of corruption involved. We have no need or desire for a secure DNS system.

Now, a DNS system that was largely immune to DoS attacks, that would be useful. That's the real problem we face with DNS. But dnssec doesn't help with that at all.

Re:DNSSec

[DoomfrogBW]

The internet is a weapon. It's called NIPRNET and SIPRNET funnelled over Commercial Internet.