Slashdot Mirror
DHS Wants Master Key for DNS
An anonymous reader writes "At an ICANN meeting in Lisbon, the US Department of Homeland Security made it clear that it has requested the master key for the DNS root zone. The key will play an important role in the new DNSSec security extension, because it will make spoofing IP-addresses impossible. By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort. There's a further complication, of course, because even 'if the IANA retains the key ... the US government still reserves the right to oversee ICANN/IANA. If the keys are then handed over to ICANN/IANA, there would be even less of an incentive [for the U.S.] to give up this role as a monitor. As a result, the DHS's demands will probably only heat up the debate about US dominance of the control of Internet resources.'"
No. It secures DNS. So you cant spoof domain names. It secures that the DNS Server is authorative so the DNS query was answered right. If somebody spoofes an IP in your network, you won't be saved.
No where in that article did it say that DNSSEC would prevent spoofed IP Addresses. This is about DNS, not about IP addresses. Also, the fact that the DHS wants they master keys does not mean they'll be able to hack into your computer without any problem. It boggles my mind that this Summary was allowed to hit the main page. wow...just wow.
In principle, there is no reason why a ccTLD key needs to be signed by IANA, ICANN, the US DoD, or anyone else, as long as the DNS implementation on client computers is configured to trust that ccTLD key.
The result is that instead of computers being configure to trust a single root zone key from IANA, it is likely that every ccTLD will have its own key, and that the standard configuration of DNS as shipped with an OS or distribution will contain the public keys or hashes for every one of them. This is arguably a good thing.
Note that few if any OS distributions come configured to support secure DNS and verify signed DNS records.
>Unfortunately, this isn't a joke.
Other than it won't work because all the important *.microsoft.com sites are hardcoded into Windows.
It's a simple matter to point the DNS entry to a machine of your choice and then just pass all the traffic on through to the real machine, monitoring both directions thereafter. As soon as anyone logs in, you're in.
DNSSEC provides the ability for the data to be signed. The politics have come in, of course, as to who has those keys. (Now mind you, right now the US government or anyone at all can already spoof DNS responses today and interestingly enough when politics get involved, it takes longer for deployment of secure protocols to happen. whee....)
.com's key, because they're the one with all the data you need. The roots hold all the information about the TLDs, so you need to trust the roots to be able to get information about .com's servers. If someone controlled the keys for the roots and you trusted those keys (had them configured as "trust anchors") then they could spoof (signed) .com record, the .com keys, etc down until example.com so you'd trust the results for example.com as secure.
.com key instead. You don't have to trust the root zone keys, it just makes it easier to trust only one. Paranoid people are certainly welcome to maintain a list of trusted keys for any zones they deem to be "importantly" critical. If you had a trust anchor configured for .com, then it wouldn't matter what someone with the real root zone key could do with it... You wouldn't trust the eventual results from a fake .com server a root had told you about because the cryptography would warn you that it didn't match up to your expected trust anchor for .com. I suspect that most country TLDs will already do this for their own government results (IE, .se, who already runs a secured zone, will configure the .se keys as trust anchors in its government systems).
But, DNSSEC does provide every zone owner with the ability to hold a very special key so that no one else may be able to spoof stuff in their zone. Everyone would want to trust
But here's the secret: if you don't trust the root zone owners, then instead you can choose to set trust anchors tied to the
Here's an interesting proposal for the root zone: pick two countries that hate each other and are likely to never have the same agenda. Let's call them X and Y. Give each of these countries a root key, and make the root zone use and publish results from both of them. Then, you could configure trust anchors pointing to both the X and Y keys. You could configure your system to make sure to check the DNSSEC results to validate the information up to both of these keys. That way you could ensure that since you trusted X and Y to never conspire against you together, and you would know that neither X or Y alone could have spoofed DNS data then you suddenly find yourself safe. Because of the distrust. I love the irony.
(now: you don't want to have a zillion keys for the roots... The packet sizes get larger as you add more keys, and it turns out you probably don't want more than 3 at most).
The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
I think this is horrible news, if only because it provides more potential sources for unauthorized personnel to access the key. DHS has no real use for the key, which has as its only purpose the prevention of man-in-the-middle attacks against legitimate websites. DHS has the power to subpoena the owners of those sites for communications details, and terrorists' communications will use other forms of secure handshaking to verify legitimacy if they don't already. The only reason DHS would need these keys is if they wanted the ability to immediately tap into communications w/ legitimate sites, without delaying for a court order or other oversight. Giving them this power would only allow them to fly further out of control.
Um... Not. I don't see how this would increase the number of 'unauthorized' people able to access the key. It would affect what group decides who is 'authorized'. But whatever group does control the key would want to restrict access to a minimal number of people (you'd only technically need one, really, although you'd realistically want several for vacations, shifts, retirement, etc...)
The owner of the root key signing key would not have any special powers to break into your computer or your communications. They would just sign the root zone keys. We already trust the root zones to give tho correct IP's for TLDs. We already have the root zone IP's on the Domain Servers we are using. Once signed, the root key signing key holder wouldn't be able to tell you that a certain root was bad until that record expired (and then just by not signing a new record).
You would still be trusting the current root zones, current TLD's, and whichever subdomains you are visiting. Further, you don't have to use secure DNS. You could just keep doing lookups like you've always done with DNS without caring about the signatures. You'd be trusting the same people you're trusting today (i.e. zone hierarchy and local network hosts and upstream network hosts) and have the same trust in the IP addresses coming back.
But, with secuer DNS, the guy next to you at your coffee house or your next door neighbor that shares your cable network connection will not be able to tell you that www.yourbank.com is his IP address. The root key signing key holder won't be able to do this either. The worst they could do is not re-sign a root zone server (this could cause political/bureaucrat BS, but not break your computer). The root zone server could mess with you (they can now), the TLD server could mess with you (they can now), the subdomain server could mess with you (they can now). Your trust would be in the current zone hierarchy but no longer everyone on your local network and upstream of you.