DHS Wants Master Key for DNS

An anonymous reader writes "At an ICANN meeting in Lisbon, the US Department of Homeland Security made it clear that it has requested the master key for the DNS root zone. The key will play an important role in the new DNSSec security extension, because it will make spoofing IP-addresses impossible. By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort. There's a further complication, of course, because even 'if the IANA retains the key ... the US government still reserves the right to oversee ICANN/IANA. If the keys are then handed over to ICANN/IANA, there would be even less of an incentive [for the U.S.] to give up this role as a monitor. As a result, the DHS's demands will probably only heat up the debate about US dominance of the control of Internet resources.'"

DNSSec

[tronicum]

...it will make spoofing IP-addresses impossible...

No. It secures DNS. So you cant spoof domain names. It secures that the DNS Server is authorative so the DNS query was answered right. If somebody spoofes an IP in your network, you won't be saved.

Re:DNSSec

[krbvroc1]

What are you talking about? How can giving a secret key to a third-party 'secure DNS'. If I am the only one who has a key to my house and I make an additional copy and give it to a third-party, my house is now less secure. Why are you and the article spinning this as a some greater level of security. Your correction about IP vs DNS spoofing is correct.

Re:DNSSec

[FuryG3]

Hopefully they'll devote enough resources at keeping this information as secure as they do for my SSN.

Re:DNSSec

[jovetoo]

I hope you can understand that no-one else in the world shares even your minimal believe in the US government?

Re:DNSSec

[khallow]

I gather that information doesn't matter to the OP either. Personally, if some country were to control such information, I'd rather it were someone with a long history of strict neutrality like Switzerland.

Re:

[Score Whore]

Switzerland isn't neutral. They are firmly on their side. You can tell by the way they looted jewish deposits during world war ii.

Re:DNSSec

[asninn]

"Neutral" doesn't mean "treats everyone fairly"; it means "doesn't treat anyone *more* unfairly than everyone else".

In other words, it's perfectly possible to be neutral *and* an asshole. I'm not saying Switzerland is either (I haven't read up on this), but generally speaking, there is no contradiction between your claims and those of the GP.

Re:DNSSec

[asuffield]

Fortunately we don't have to. There is no need for any such central root authority, which is precisely why dnssec has gained no traction at all - it solves no problems that we actually face. The status quo (security applied end-to-end at the application level) is not only adequate, it's better than dnssec because there's no central source of corruption involved. We have no need or desire for a secure DNS system.

Now, a DNS system that was largely immune to DoS attacks, that would be useful. That's the real problem we face with DNS. But dnssec doesn't help with that at all.

Re:

[bhirsch]

I do.

Re:

[Almost-Retired]

I hope you can understand that no-one else in the world shares even your minimal belief in the US government?

I fixed your spelling but that's minor. I'm a US citizen, but what in the world ever gave you the idea that we the US people actually believe those jerks inside the beltway? I don't trust any of them. I just hope we can survive as a country till Noon Jan 20, 2009. Regardless of who wins the not too well concealed game of musical chairs, we at least will be rid of one 'born again Christian' and ca

Re:

[Movi]

I just hope we can survive as a country till Noon Jan 20, 2009.Regardless of who wins the not too well concealed game of musical chairs, we at least will be rid of one 'born again Christian' and can begin to try to heal the pain and suffering of the legacy he leaves behind.

Ok, so let's for a moment imagine that in 2009 you will finally make the right decision, elect a trusted man for the job, and that he replaces the circus people that are running your country. Lets assume they are so trustworthy that the international community allows the US to oversee the Internet. Also lets say that ICANN gives out the keys. 4,8,12, years after your country ones again elects a bozo of equal or more potential to desabilize the world. What then? We'll just hope that he won't do too much da

Re:DNSSec

[Almost-Retired]

If it happens to be that way i urge you to eat your words. The internet has many years ago stopped beeing a US military project and has turned around beeing a world-wide communication network, much like the telephone. How would you feel if a remote country could just plug you out?

The whole idea of ICANN as I see it, is to assure that the net works, FOR EVERYONE. And yes, IMO ICANN has made some mistakes, but they pale in comparison to the mistakes that would be made if our government had access to the master keys, and could use the internet as just another weapon, for whatever purpose they might have in mind this week/month/year. That scenario scares me shitless.

The internet has been IMO, the greatest tool ever in terms of understanding our fellow humans. The near instant communications, not between governments who may have an agenda, but between people (who may in fact also have an agenda) has allowed those of us who are willing to learn, to learn what makes the other guy tick. Sadly, we seem to be all too infested with those who not only have an agenda, but are only willing to learn how to use it to their advantage and to hell with everybody else. These are the same individuals/groups/governments that refuse to learn from history, and are therefore doomed to repeat every mistake made over written history, just to see if they can make it work this time around. This is the same bunch who, when it blows up in their faces, always has a ready scapegoat, usually called the other guy...

Besides, we already have the "plug you out" in the form of the RBL, which has been used to unplug an errant domain or country, several times. The point is that this has for the most part, been applied sparingly, and only after repeated warnings to the offending region or country.

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
  soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
The way of the world is to praise dead saints and prosecute live ones.
                                -- Nathaniel Howe

Re:

[Master of Transhuman]

"I just hope we can survive as a country till Noon Jan 20, 2009. Regardless of who wins the not too well concealed game of musical chairs, we at least will be rid of one 'born again Christian'"

Hillary is a Methodist, I believe.

From my standpoint, not a significant improvement - especially given that she's as much a war hawk on Iran as Bush is, because she owes AIPAC and its rich Jewish supporters a ton of money for her campaign. General Clarke is right about that.

Besides, all the evidence is that Bush will

Re:

[Savantissimo]

I hope you can understand that no-one else in the world shares even your minimal believe in the US government?

That's an undersrtatement. For me, this ploy just means I can add "router-rooting" to my existing list of: "retard-raping rump-humping rabid-rover-rogering right-wing runt-reamers", but perhaps even highly-hyphenated alliteritive invective can be excessive? That's one perspective, but the objective will reject it.

Re:

[StartCom]

However it shouldn't belong to anyone, but be free! Having the keys in the hands of any government is dangerous!

Re:

[Workaphobia]

> "you can MitM and actually send forged DNS entries back to the client"

Er, no, that's what DNSSec prevents. Just as SSL stops man in the middle attacks for normal TCP traffic, DNSSec makes sure the domain query responses are authentic. The man in the middle doesn't have the key and cannot sign his forged response; he can only forward legitimate responses.

Incentive for alternative roots

[grasshoppa]

This should ( rightly so ) piss off external entities ( ie: foriegn nations ) enough to have them setup alternative roots. And I, for one, will be using those as apposed to the "secure" ones.

Granted, I won't be fully trusting the information from either set, so it's not as if my system security is dependant on it.

Re:Incentive for alternative roots

[Seumas]

I still have yet to understand what fear they have of internet terrorism. When was the last time terrorists killed someone over the internet?! This sounds more like the supposedly disbanded TIA working under the guise of DHS.

By the way, how scary is it that DHS used to be the commonly used acronym associated with "Department of Human Services". And now this...

Good to know that DHS can put its hands in ANYTHING regardless of nature as long as they claim it has some association in some minor (or even non-existent but hypothetical) way.

Re:

[mikeisme77]

It isn't about prevent terrorism related deaths, but economic terrorism.

Re:Incentive for alternative roots

[illegalcortex]

"Economic terrorism" is a buzzword. It's part of the "stick terrorism on the end to make people listen to your ranting" movement. I've even heard "judicial terrorism" and "legistlative terrorism" before.

The term "terrorism" means premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience.

https://www.cia.gov/terrorism/faqs.html [cia.gov]

Re:Incentive for alternative roots

[ady1]

It isn't about terrorism at all. It is about control and about policing the rest of the world.

I hope they do that and piss off rest of the world so that they form an independent organization for such matters.

Re:Incentive for alternative roots

[tom's a-cold]

Mod parent up. They're not that afraid of terrorists. There is no plausible scenario in which Binladen or someone like him is going to threaten the US system. They're much more afraid of honest, decent people finding out what they're up to, and getting organized enough to do something about it. That's why they're constantly pushing for more intrusive surveillance and control.

You can be assured that, whatever information is collected on you by the government will not be adequately protected, and will be abused. Power grabs like this one must be resisted.

Re:

[segedunum]

Terrorism performed on who, exactly?

Re:Incentive for alternative roots

[SCHecklerX]

"economic terrorism?" WTF is that?

Terrorism is the act of inciting TERROR. I'm not terrified of losing all of my money, or of someone owning my computers or even disrupting my Internet connection. Being cut to pieces by rusty shrapnel, or possibly tortured while tied down in a dark room. Now *that* incites terror. Having to fight for my survival after being severely injured. THAT incites terror. If my computers or networks cease to function, it is inconvenience, NOT friggin' terrorism. People need to stop lightly throwing that word around. Terrorists don't give a fuck about your fucking computer or money. They care about SCARING THE HELL OUT OF YOU THROUGH VIOLENCE. In that regard, they've done really well (been to an airport lately?).

Same goes for 'cyberterrorism'. An interesting paper on the topic presented by Jay Dyson at Toorcon 2002: http://www.treachery.net/articles_papers/tutorials /the_myth_of_cyber-terrorism/The_Myth_of_Cyber-Ter rorism.pdf [treachery.net]

This could get complicated

[davidwr]

Imagine if there were 2 or more sets of "root" servers which were by and large identical. One under the thumb of the USA and one run by the international community, and maybe one set run by each repressive regime on the planet, e.g. China. All would get authoritative data from domain registrars just like the current root. All would be open to "controlled poisoning" by those who held the keys.

Now, imagine if ISPs or countries worldwide could choose which set of root servers to use. Imagine if ISPs and go

Re:

[profplump]

check with the authoritative nameserver for the domain as reported by whois

As reported by who's whois? It's not like whois is some totally unrelated system -- it's tied to the same information as any other part of DNS.

You can certianly query along different root paths and compare the results without naming an authority, but if you're going to use whois to resolve conflicts you'd have to pick a root path for your whois requests and trust it to be accurate.

Re:

[daniel23]

true, and it has. Take a look at ORSN [orsn.net], when this news was discussed on heise.de (an influential IT-news service in Germany) many posters linked to that European Open Root Server Network.

(re: your signature: as a German I should love him, but who is Hasslehoff?)

Re:

[pikine]

I guess China had already seen this coming [slashdot.org]!

Re:

[DynaSoar]

> I guess China had already seen this coming!

Of course they did. Ever since they got caught hacking Falun Gong web sites from machines at the Ministry of Defense (among many other activities) they've been spoofing their IPs.

Alternative Keys, not Alternative Roots

[billstewart]

What we need here is alternative keys to verify the signatures on TLDs like .com, .net, .uk, .de, .iq etc. You can do that without setting up an alternative root system. Of course, while the DHS is demanding the keys for the root from ICANN publicly, you *know* they'll be privately demanding the keys for .com from Verisign or whoever it is these days, and trusting .com not to be forged is really a much bigger issue than whether the US politicians may decide to forge keys in .cn some day just for fun.

Th

Re:

[Shadowfire3000]

Our country has many exciting oppertunities and yet they are being stripped from us because of our government is pushing other countries away from our trust by trying to institue messure that they have *no* constitutional right or global right in doing. Making laws with out the correct due process, without checks and balance. This is not a correct process of allowing such a decission to be addressed. The people in America are the governing voice via the constition, bill of rights and declaration of inde

Re:

[ookabooka]

. . . and their going to do it anyway, root or no root.

Well if that's the case then I guess theres no point in doing anything about it.

Re:Incentive for alternative roots

[snowgirl]

Ah... the joys of the americo-centric viewpoint. Forget your own sovereigncy, it's probably too much for you to deal with anyways. Just let the US do it all for you.

God, it sounds like the exact same ideas that the USSR had running puppet governments in the other Soviet States.

Maybe this will be more to your liking ...

[ScrewMaster]

If, as a foreign power, your security could be defeated by IP spoofing then, honestly, your security issues are not going to be solved by managing your own root. In fact, if your so inept, then you probably should leave DNS security in the hands of the Russian or Chinese governments because because, frankly, that DNS root of yours is going to be hacked by script kiddies and spammers in no time flat and trash your whole infrastructure impacting your economy. Honestly, having the Chinese or Russian governments spy on you is probably preferable, and their going to do it anyway, root or no root.

There ... is that better now? All the parent was saying is that any nation whose security is dependent upon a computing resource that is owned and operated by an inimical foreign power is asking for trouble. Whether you consider the United States to be such a foreign power is a separate topic for discussion, and one in which I'm not particularly interested in pursuing.

In any event, I didn't perceive his remarks as being particularly U.S.-centric, although it's popular hereabouts to redirect any commentary about Internet infrastructure into criticisms of U.S. policies. Odd that, of all the various services and protocols that traverse the Internet, we get heat for one that has always been run rather well. We are the ones that have, like it or not, run the roots with more even-handedness than most countries around the world would have. Hell, we even let a bunch of hardline Communist states on board, although none of them seem particularly grateful.

Maybe that bothers you, that you don't really have any valid criticisms of our policies towards "Internet governance". Maybe you'd like to invent some reason to "wrest control of the Internet away from the United States" (whatever that means ... we don't own or control the network hardware in your country ... you do.) There are plenty of other things about United States foreign (and domestic!) policies that you could legitimately bitch about (I do, all the time) but our handling of DNS just isn't one of them at this point.

China's attitude towards the Internet is one that is, unfortunately, becoming more popular with governments of various stripes. They day will come the people of this planet will wish someone were still managing the global DNS infrastructure with something resembling the United States' largely hands-off approach. Don't count on that though.

God, it sounds like the exact same ideas that the USSR had running puppet governments in the other Soviet States.

I don't know what to do with this one. Comparing 13 or so server banks around the world with a nation that annexed multiple countries by main strength and created a true Empire ... quite a stretch. Now, if Bush & Co. were to threaten to use our military against any country tried to set up its own Domain Name System or equivalent, you might have a point. You might. But you don't.

Re:

[Antique Geekmeister]

There are far more secretive ways to track things: control over the international routers allows black-holing domains and sites, and rerouting or echoing their traffic to permit complete analysis of all traffic from them. Take a look at tools listed at www.sandstorm.com to see what is available, commercially, for such traffic analysis both recorded for later probing and real-time analysis with control of the routers and the kind of warrant-free tapping of internet backbones as has already been discovered.

No

Re:

[grasshoppa]

Me and most of my friends hate David Hasslehoff. You could say Americans love Hasslehoff since you like watching his naked body on Baywatch so much (American TV show, no?)

This is actually from an SNL skit from years ago. It always made me crack up, and I have yet to figure out why exactly. I've since been meaning to change it to reflect something significant or deep, but have yet to come up with anything beyond random political BS of one sort or another.

wtf!

[BuR4N]

"and be able to break into computers connected to the Internet without much effort"

Didnt know that spoofing an IP what all it took to break into a computer.....

Re:

[Professor_UNIX]

Didnt know that spoofing an IP what all it took to break into a computer.....

What, doesn't anybody use rlogin/rsh anymore with .rhosts files?

Creative Visualizations...

[UncleTogie]

The mental picture that first struck me:

A farmer giving the fox the keys to the henhouse.

Re:

[UncleTogie]

So basically you're saying that the best DHS could do with the master key would be running around with the key in its mouth without any idea what to do with it?

Don't forget Foxxy Love [wikipedia.org], Comedy Central's favorite animated mystery-solving bisexual!

How are you gentlemen.

[bluemonq]

All your IP are belong to us. You are on the way to being rooted. You have no chance to 200 make your time.

Sure, you can have the master key...

[Cylix]

When you pry if from my cold dead hands!

Re:Sure, you can have the master key...

[Anonymous Coward]

Your proposal is acceptable.

-- DHS.

Re:

[the eric conspiracy]

So you are equating DHS with giant terroristic insectoid aliens bent on universal destruction? Hum. Seems reasonable.

Re:

[ameline]

I was pointing out that saying "You can have my X when you pry it from my cold dead hands" does not seem to slow down these sort of people very much if they have a serious desire to take your X away from you.

Re:

[frinkacheese]

..In other news Cylix, a Slashdot poster was found dead today outside his home. Police investigating suspect that theft was the motivation as his wallet was missing.

Various Internet companies today suspect that their domain names have been compromised. Blaming the new "secure" DNS system, companies are still unable to tell what the extent of this damage is.

Also in todays news:

Iran in massive cleanup operation after Israeli nuclear strike.
Microsoft again found guilty of anti-trust violations.
SCO share price

Multiple keys

[russotto]

Does Secure DNS allow multiple keys to be required before a query is trusted? That is, would it be possible with the protocol as defined for a foreign root server (e.g. the servers authoritative for .nl) to sign its responses with its own self-signed or trusted-organization-signed key as well as with the IANA-signed key, and have savvy clients trust such servers only if both keys are present?

I'm surprised the US Government is doing this; I'd have expected them to obtain the key through back channels rather than out-and-out demanding it.

Which is worse?

[FMota91]

The fact that the US Government wants this key, or the fact that it has requested it publicly?

Honestly...

Re:

[Eric Smith]

In principle, there is no reason why a ccTLD key needs to be signed by IANA, ICANN, the US DoD, or anyone else, as long as the DNS implementation on client computers is configured to trust that ccTLD key.

The result is that instead of computers being configure to trust a single root zone key from IANA, it is likely that every ccTLD will have its own key, and that the standard configuration of DNS as shipped with an OS or distribution will contain the public keys or hashes for every one of them. This is argu

Re:

[Workaphobia]

Under that system, if new ccTLDs are added, it will force an update to all DNSSec users. This may be acceptible though.

The master key is trusted by all and signs every TLD and ccTLD, right? Does this key expire after a set number of years? If so, how is replacement handled, especially for systems that may be offline for long periods of times? Just wondering.

Another "Internet"

[bogaboga]

How feasible is it for we in the rest of the world to create "another Internet" and leave the current one with the US government? I can see major powers like China and Russia in support of this measure. But is it even possible?

Re:

[Eric Smith]

All they have to do is

1. set up their own root DNS servers (easy, anyone can do that)
2. convince their citizens to configure their computers to use their root DNS servers instead of the ICANN root DNS servers

Many people have done the first, but no one has succeeded at the latter. But if a government were to do it, they might well succeed.

However, other countries may not even need to do that. If they use a ccTLD (e.g., .cn for China, .lk for Sri Lanka, etc), they can control the DNS key for that ccTLD, a

Re:

[DaMattster]

You would also need to convince the citizens to get direct connections to your servers and start assigning IP addresses, much in the same way that IANA does. This is, in theory, wholly possible. Then you could have a separate internet that gets away from government regulation. But, Homeland Security may get suspicious and you might see one of the infamous National Security letters forcing you to open your network or face imprisonment and fines. Either way, as long as King George has his way, privacy wil

Re:

[canuck57]

How feasible is it for we in the rest of the world to create "another Internet" and leave the current one with the US government? I can see major powers like China and Russia in support of this measure. But is it even possible?

Quite feasible actually. China already runs it's own DNS root servers. The trick becomes to make this as seamless as possible to the end users. But there are ulterior motives for this, to control the people.

For example say China wanted ibm.com to resolve to their own servers, th

Re:

[Simon (S2)]

This make DNS in the middle attacks -- even with SSL -- trivial.

How? I can redirect you to my own site, but how do I spoof your SSL certificate? I can generate a similar one and try to fool you into accepting it, but I can't see how you can sniff traffic on an SSL encrypted channel just by gaining control of the DNS server.

Re:

[doshell]

When it all boils down, a network like the internet requires centralized control, and it's often best to stick with the devil you know. [emphasis mine]

Funny you should say that, since one of the objectives of the US government when designing the Internet (ARPANET at the time) was to create a decentralized network that would remain in operation even in the event individual nodes were lost...

Re:

[vertinox]

How feasible is it for we in the rest of the world to create "another Internet" and leave the current one with the US government?

Oh that... Its called IPv6.

Subby failed reading comprehension

[Anonymous Coward]

No where in that article did it say that DNSSEC would prevent spoofed IP Addresses. This is about DNS, not about IP addresses. Also, the fact that the DHS wants they master keys does not mean they'll be able to hack into your computer without any problem. It boggles my mind that this Summary was allowed to hit the main page. wow...just wow.

Re:

[3247]

No where in that article did it say that DNSSEC would prevent spoofed IP Addresses.

Even if the article did not say so, it actually does: With DNSSEC, you can securely put certificates for IPSEC or SSL/TLS into the DNS.

How DNSSEC prevents spoofed IP addresses

[billstewart]

There are two ways to spoof IP addresses - trick somebody into thinking the machine they want is at a bad guy's IP address instead of the real one, or trick somebody into thinking that the IP address they're trying to reach is on a bad guy's machine instead of the real one.

DNS primarily lets you look up the IP address corresponding to a domain name, and DNSSEC prevents this from being spoofed. Spoofing the routing protocols so that IP packets go to the bad guy's machine is obviously not DNS's problem.

Should U.S. DHS be trusted?

[Anonymous Coward]

Should U.S. DHS be trusted?

• Election staff convicted in recount rig in Ohio 2004 presidential election that gave President Bush the electoral votes he needed to defeat Democratic Sen. John Kerry [federalnewsradio.com]
  
  
• Bush signs landmark executive order increasing White House power over federal agencies [rawstory.com]
  
  
• Bush's Signing Statement Dictatorship [lewrockwell.com]
  
  
• Senator asks Bush to explain signing statement that gives President authority to open mail without warrant [rawstory.com]
  
  
• Bush Moves Toward Martial Law [informatio...ration.com]
  
  
• US Attorney General Questions the Right to a Fair Trial [baltimorechronicle.com]
  
  
• The White House is replacing U.S. Attorneys throughout the country [tpmmuckraker.com]
  
  
• Attorneys for the District of Columbia argue that the Second Amendment right to bear arms applies only to militias, not individuals [prisonplanet.com]
  
  
• U.S. citizens to be required "clearance" to leave the United States [blogspot.com]
  
  
• plenty more, regretfully...
  
  

The crucial signing key is for Windows Update

[Animats]

The truly powerful signing key is for Windows Update. If you have that key, you can take over every Microsoft computer in the world . Change the operating system. Install anything, including a new key. Reboot the machine.

Who has that key? Do we know?

Whoever has both the DNS root key and the Windows Update signing key rules the Internet. Or at least all the Microsoft client systems. They can redirect Windows Update requests to themselves, then download their own update and have it accepted.

Unfortunately, this isn't a joke.

Re:

[Comatose51]

One key to rule them all and in the darkness bind them.

Re:

[iminplaya]

Heh, Good thing I turned off Windows update

Re:The crucial signing key is for Windows Update

[Workaphobia]

I am absolutely shocked that no one has given the obvious reply, seeing as how this is slashdot.

You can already take over every microsoft computer in the world. All it takes is a zero day exploit. How exactly is a spam botnet fundementally different from a botnet controlled by the US Government?

The security of encryption keys is only a concern when the security of the rest of the system is not in quesiton.

Re:

[Scudsucker]

I am absolutely shocked that no one has given the obvious reply, seeing as how this is slashdot.

Because you were the first incompetent boob to come along. There is a HUGE, obvious difference between a zero day exploit spreading from computer to computer and millions of PC's getting an exploit at the same time because they were set to automatically download updates from Windows Update. Or did you stop to consider the fact that basic security will keep you from being infected by a zero day exploit? A firew

No, it's not a joke.

[Animats]

If you can force a Windows Update cycle, you can change the hard-coded values. Microsoft Update can patch any part of the OS and can force a reboot. (A reboot can be forced on any machine with updates turned on, even if auto reboot is supposedly turned off.)

If you can make changes to DNS, you can change the IP address for "the important *.microsoft.com sites", redirecting the updates to an attack site.

So possession of both of those keys gives full control of all Windows Update enabled clients.

Re:

[Workaphobia]

I'm sure it is, as well as plenty of other package systems. But you could make the same argument about all of open source. When's the last time you read a thousand-line make file line-by-line and verified that its author wasn't an Underhanded C Contest champion?

I guess the difference is that securing DNS is more fundemental problem than the integrity of individual applications or update systems.

We asked, you spoke, we listened. END OF STORY

[sciop101]

US Gov: We want the key.

We are denied the key.

We deny having the key.

out of control

[TheSHAD0W]

I think this is horrible news, if only because it provides more potential sources for unauthorized personnel to access the key. DHS has no real use for the key, which has as its only purpose the prevention of man-in-the-middle attacks against legitimate websites. DHS has the power to subpoena the owners of those sites for communications details, and terrorists' communications will use other forms of secure handshaking to verify legitimacy if they don't already. The only reason DHS would need these keys is if they wanted the ability to immediately tap into communications w/ legitimate sites, without delaying for a court order or other oversight. Giving them this power would only allow them to fly further out of control.

Re:

[Workaphobia]

I thought the root DNS servers only hold TLDs, and individual second-level domains were stored in Verisign and company's servers.

Routing and private keys?

[pashdown]

I've always thought IP spoofing is a weak attack due to routing and ingress filters. Any network worth its salt will block its own addresses from coming in from the outside, but nevertheless routing has to return the TCP ack back to the proper AS#. How does DNSSec override these precautions?

In any case my boxes don't give access to just the IP address, they give access based on private keys, DNS, and the IP address. Another case of government technical cluelessness thinking that the master key unlocks ALL DA COMPUTORS IN DA VERLD?

Re:

[pashdown]

IP AND DNS AND private key, not IP OR DNS OR private key.

Re:

[Score Whore]

I think you fail to understand. Relying on IP or DNS is like putting regular household windows on a vault. They serve no purpose so leave them out. Additionally neither system was designed as a security mechanism, using them as such is asking for trouble. To extend your boolean logic here is an equivalent formula for you: 1 AND 1 AND private key. For anyone intent on breaking into your system, the first two will always be true.

Re:

[pashdown]

So you just * your hosts.allow and let anyone connect to your ssh port? You don't use an IP based firewall because your private keys are sufficient? Interesting strategy.

If all IP firewalls fall to your skillz, maybe you should be the uberhacker contracting with DHS. They don't need anything else except you.

Re:

[Score Whore]

Yep. I do not filter on IP addresses. I block almost all incoming ports, but the ports that are open are open to any IP address.

What skills do you imagine it takes to forge an IP address?

That's all we need

[OriginalArlen]

Finally, a way to give the net.kooks at ORSN et al -- and other purveyors of alternative DNS roots [wikipedia.org] -- some sort of credibility... prove that the kooks were right all along! The cabal does exist, and they're running the US government. What a stroke of genius! This single act could be the single most harmful thing to hit the net since Cantor and Seigel :(

correction

[slashkitty]

the US government will be the only institution that is able to spoof IP addresses

the US government will be the only OTHER institution that is able to spoof IP addresses.

whoever is the creator (icann?) of the master keys is also able to spoof DNSsec.

You know...

[FunWithKnives]

When the story first broke about other nations wanting an independent international body to oversee the root servers and such, I was completely against it. It sounded to me like another pointless stance by the U.N., compounded by the fact that the ARPANet was invented and fleshed out here in the U.S. Not to mention the few unsavory members of the U.N. that would end up with some say as to the future of the Internet.

Now, though, I'm starting to see where I went wrong. I was assuming that the government of the United States could never be as fucked up as the one in, say, China. I was being horribly short-sighted. I should have known that this kind of shit was only a matter of time.

So how much worse could letting the U.N. have control of ICANN be than something like this? I say fuck it. Let them have it, and give it some independent oversight. For the life of me, I cannot believe that I am actually looking to foreign nations to ensure the neutrality and openness of the Internet, but there you have it.

Re:You know...

[DaMattster]

I definitely agree with you there and I am a U.S. Citizen. At this point, I think by making ICANN and IANA independent of U.S. control we are safeguarding our own rights what with the wild abuses of the Patriot Act, the FBI, and the Department of Homeland Security. I hope ICANN doesn't capitulate. ICANN shouldn't give them shit.

Re:

[Tim C]

I was assuming that the government of the United States could never be as fucked up as the one in, say, China

Irrelevant. No one country should have control of a global resource. Even ignoring the potential for abuse, global resources should be managed globally, it's as simple as that.

I cannot believe that I am actually looking to foreign nations to ensure the neutrality and openness of the Internet

Yeah, because us dirty foreigners don't even know how to spell "freedom", let alone have any respect for it.

Re:

[dbIII]

Not to mention the few unsavory members of the U.N. that would end up with some say as to the future of the Internet.

Some country with torture and show trials ... hang on, the USA is trying very hard to become one of those unsavory members of the U.N.

Hah. The US government has answered.

[SLi]

I'm glad the US government decided to answer themselves the very short-sighted people who are almost in the majority in every ICANN-shouldn't-be-controlled-by-the-US article who ask something like "Who would you trust more to control the Internet, the US government or a body where countries with poor human rights record have a say".

root keys and Ultimate Power

[Teunis]

Maybe it's time to start working up an alternative to DNS zones?

It's either that or coming up with a way of keeping such information outside of the hands of a foreign power (the USA is a foreign power from my country. Not an enemy by any hands at this time... but it has been).

There should be no debate if DHS gets its way

[iminplaya]

Control over the internet needs to be taken away from the Americans. We need to assure that nobody has "control" over the internet.

Re:

[slothman32]

That is my theory.
See, there is a use for the UN to control it.
It may screw it up but it won't harm us badly, purposfully, either.

Re:

[Watson Ladd]

The Universal Deceleration of Human Rights has a lot fewer holes then the Bill of Rights. For one, the Bill of Rights says cruel and unusual. If I was to kick everyone in the groin if they were convicted, then that would not be illegal, as it's cruel, not unusual. The Bill of Rights also says nothing about your right to life, liberty and security of person. Without a life you can't enjoy any of the other rights.

How is this significantly different?

[Schraegstrichpunkt]

Right now, Verisign (or any of the widely-trusted X.509/SSL certificate authorities) can generate fake certificates for arbitrary sites, and your ISP can poison the DNS (from your perspective).

Incompetent government employees (or corrupt or foreign governments) are not the only adversaries we need to deal with. DNSSEC, like the current HTTPS trust system, reduces the number of potential attackers, but it doesn't eliminate them all. We know this, and we deal with it by only vesting a limited amount of trust in these systems.

The discussion should not be about whether or not the US DHS specifically should be given access to the keys; The discussion should be about the importance of minimizing the number of points where the system can be attacked: Only those entities who strictly need the keys in order to administer the DNSSEC system should be given access. The DHS doesn't need DNSSEC keys in order to make DNSSEC work, so the DHS should not get the keys. It's as simple as that.

So what?

[tqbf]

Anybody --- not just the DHS --- can spoof the DNS today. And yet, by all available evidence, DNS spoofing is vanishingly rare. Mutual authentication over the untrusted Internet is a solved problem: TLS provides an end-to-end guarantee that your connection to your banking web application terminates with someone who can vouch for your bank's crypto keys. And you don't simply trust SSL certificates to the government: you also trust a myriad of commercial entitities as well.

This is a red herring on multiple levels. There are lots of places that intelligence agencies can step in to violate your privacy on the Internet; you "trust" an access-layer providers, a number of backbone providers, the owners of the DNS roots, the certificate authorities, Google, and probably 10 more entities. But more importantly, DNSSEC is irrelevant. Nobody depends on it now (it doesn't "exist"now: tell me how my Mac does a secure lookup for Google.com on Speakeasy). It's likely that nobody ever will depend on it. And that's OK, because we have better mechanisms in place. We should spend more effort on adding negotiated opt-in SSL for things besides web and mail, and less on huge infrastructure projects to "secure" one tiny link in the connectivity chain.

why?

[dheera]

why does a master key even exist? if a system is to be secure, make it secure. don't allow some organization with a master key to be able to do stuff. if a master key exists to anything, it will be leaked in due time, if people want it.

second, why does the US government get rights? the organization in question should just relocate to another country where the US government has no jurisdiction.

finally, i thought .com/.net/.org were shared by the entire world and are not specifically "US" domain names. why is

Bunk

[flyingfsck]

Clearly, the author has no idea what BIND is, what it does, or how it works. BTW, there are root servers in Europe too.

Too many secrets?

[00_NOP]

The way the story is written the key is presumably "CTEC ASTRONOMY". Getting the key will not make it easy to break into people's computers if the security is done properly (not unless they have some quantum computers brute forcing various keys), but it would make it easy to pretend to be part of someone's network.

Suuuure, just give US the key

[Goblez]

Right, let's give the DHS the key so that only they can spoof their addresses. How is this good?

Why isn't is given to a group to control and enforce that has some balance, other than just 'trusting' that government should have this power?

"The Internet is free, oh except we hold the keys . . . " doesn't sound quite right to me.

Who cares about DNS?

[IchBinEinPenguin]

Firefox has 44 groups of certification authorities!
Each group seems to be a company which holds (in the case of Verisign) 15 individual certificates.
Each of these certificates can be used to set up a 'trusted' HTTPS connection.
If you don't know what that means, google for "verisign microsoft fake certificate"

I'm as paranoid as the next guy, but I think that haing companies with stellar security track-records like verisign issuing browser certificates is much more of a problem that DHS messing with DNS.

If you're worried about DNS/CAs/??? don't use them. Set up an SSH tunnel or a VPN, exchange keys securely (i.e. off-line, in person, verifying signatures) and live happily ever after.

Honestly, given the general state of computer security this is like complaining that someone might mess with your street-directory while driving a Pinto with "USA forever" stickers through Baghdad in rush-hour.....

Scary!

[kbahey]

You know what?

This is one of many cases that show that the US government is really messed up.

They want the keys to something the whole world depends on, and the ability to disrupt it, but deny that to anyone else.

The same goes for the militarization of space: they want to be able to do it, and deny anyone else from doing the same.

The same goes for weapons of mass destruction: they want to keep it, and allow current allies to keep it, yet selectively deny certain current enemies (real or perceived) from having the same.

This double standard, coupled with unilateral actions against the advice and objections of the most of the world, is what makes the current US government so scary.

Indeed this feels like the saying: Gods may do what cattle can't [wikipedia.org].

Americans can do better than that. You guys used to admired, and yes, envied, but in a good way. The rest of the world looked up to you.

Now this admiration has turned to resentment, and resignation. The rest of the world cannot vote in US presidential elections, yet we are affected by that decision without having a say at all. Sort of like when you rebelled against a king that taxed you without representation.

It is beyond most of the world why you reelected the same administration again, despite of all its short comings, and their continued heavy handed meddling.

The Democrat taking over congress is a good sign.

Please continue to fix this. You indeed can, and you deserve better. The rest of the world deserves better too.

DNS Trust Anchors (how to trust who you trust)

[hardaker]

DNSSEC provides the ability for the data to be signed. The politics have come in, of course, as to who has those keys. (Now mind you, right now the US government or anyone at all can already spoof DNS responses today and interestingly enough when politics get involved, it takes longer for deployment of secure protocols to happen. whee....)

But, DNSSEC does provide every zone owner with the ability to hold a very special key so that no one else may be able to spoof stuff in their zone. Everyone would want to trust .com's key, because they're the one with all the data you need. The roots hold all the information about the TLDs, so you need to trust the roots to be able to get information about .com's servers. If someone controlled the keys for the roots and you trusted those keys (had them configured as "trust anchors") then they could spoof (signed) .com record, the .com keys, etc down until example.com so you'd trust the results for example.com as secure.

But here's the secret: if you don't trust the root zone owners, then instead you can choose to set trust anchors tied to the .com key instead. You don't have to trust the root zone keys, it just makes it easier to trust only one. Paranoid people are certainly welcome to maintain a list of trusted keys for any zones they deem to be "importantly" critical. If you had a trust anchor configured for .com, then it wouldn't matter what someone with the real root zone key could do with it... You wouldn't trust the eventual results from a fake .com server a root had told you about because the cryptography would warn you that it didn't match up to your expected trust anchor for .com. I suspect that most country TLDs will already do this for their own government results (IE, .se, who already runs a secured zone, will configure the .se keys as trust anchors in its government systems).

Here's an interesting proposal for the root zone: pick two countries that hate each other and are likely to never have the same agenda. Let's call them X and Y. Give each of these countries a root key, and make the root zone use and publish results from both of them. Then, you could configure trust anchors pointing to both the X and Y keys. You could configure your system to make sure to check the DNSSEC results to validate the information up to both of these keys. That way you could ensure that since you trusted X and Y to never conspire against you together, and you would know that neither X or Y alone could have spoofed DNS data then you suddenly find yourself safe. Because of the distrust. I love the irony.

(now: you don't want to have a zillion keys for the roots... The packet sizes get larger as you add more keys, and it turns out you probably don't want more than 3 at most).

Re:Politics, politics

[ScrewMaster]

Will they have a choice? Would they do any better?

The problem with all this saber-rattling about "control of the Internet" is that there's just too much economic power involved to arbitrarily change anything. Yes, one can complain about U.S. management of DNS (although the system does work rather well), one can complain about what the U.S. might do with DNS (although we haven't done anything yet) but sometimes, change for the sake of change is dangerous. The impact on world economies if DNS were to suffer any significant or long-lasting disruption would be severe. If any major changes or transfer of control of the Domain Name System ever get made, they'd best be made in the light of technological reality and not the immediate political need to stand up to the U.S. Remember what happened with Verisign and SiteFinder? That was just a taste of what might happen to the network if people start squabbling over the roots and waving their dicks around.

Be careful what you wish for.

Re:

[l3v1]

although we haven't done anything yet

Not the most convincing argument these days.
 

Re:

[ScrewMaster]

Maybe not. But if you're going to take the significant step of switching to an alternate DNS system, you'd best be prepared to accept the consequences. Those could be severe, depending on how well the transfer is managed, and since this is a multinational issue odds are it won't get handled well at all. The British will want a camera in every server, the French won't let the term Domain Name System be used because it's "too American", and the Germans ... well, the Germans would probably handle their end pre

Re:

[ScrewMaster]

Do you?