Slashdot Mirror
DHS Wants Master Key for DNS
An anonymous reader writes "At an ICANN meeting in Lisbon, the US Department of Homeland Security made it clear that it has requested the master key for the DNS root zone. The key will play an important role in the new DNSSec security extension, because it will make spoofing IP-addresses impossible. By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort. There's a further complication, of course, because even 'if the IANA retains the key ... the US government still reserves the right to oversee ICANN/IANA. If the keys are then handed over to ICANN/IANA, there would be even less of an incentive [for the U.S.] to give up this role as a monitor. As a result, the DHS's demands will probably only heat up the debate about US dominance of the control of Internet resources.'"
This should ( rightly so ) piss off external entities ( ie: foriegn nations ) enough to have them setup alternative roots. And I, for one, will be using those as apposed to the "secure" ones.
Granted, I won't be fully trusting the information from either set, so it's not as if my system security is dependant on it.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
"and be able to break into computers connected to the Internet without much effort"
Didnt know that spoofing an IP what all it took to break into a computer.....
http://www.intellipool.se/ - Intellipool Network Monitor
Does Secure DNS allow multiple keys to be required before a query is trusted? That is, would it be possible with the protocol as defined for a foreign root server (e.g. the servers authoritative for .nl) to sign its responses with its own self-signed or trusted-organization-signed key as well as with the IANA-signed key, and have savvy clients trust such servers only if both keys are present?
I'm surprised the US Government is doing this; I'd have expected them to obtain the key through back channels rather than out-and-out demanding it.
The truly powerful signing key is for Windows Update. If you have that key, you can take over every Microsoft computer in the world . Change the operating system. Install anything, including a new key. Reboot the machine.
Who has that key? Do we know?
Whoever has both the DNS root key and the Windows Update signing key rules the Internet. Or at least all the Microsoft client systems. They can redirect Windows Update requests to themselves, then download their own update and have it accepted.
Unfortunately, this isn't a joke.
I hope you can understand that no-one else in the world shares even your minimal believe in the US government?
I think this is horrible news, if only because it provides more potential sources for unauthorized personnel to access the key. DHS has no real use for the key, which has as its only purpose the prevention of man-in-the-middle attacks against legitimate websites. DHS has the power to subpoena the owners of those sites for communications details, and terrorists' communications will use other forms of secure handshaking to verify legitimacy if they don't already. The only reason DHS would need these keys is if they wanted the ability to immediately tap into communications w/ legitimate sites, without delaying for a court order or other oversight. Giving them this power would only allow them to fly further out of control.
I gather that information doesn't matter to the OP either. Personally, if some country were to control such information, I'd rather it were someone with a long history of strict neutrality like Switzerland.
However it shouldn't belong to anyone, but be free! Having the keys in the hands of any government is dangerous!
How feasible is it for we in the rest of the world to create "another Internet" and leave the current one with the US government? I can see major powers like China and Russia in support of this measure. But is it even possible?
Quite feasible actually. China already runs it's own DNS root servers. The trick becomes to make this as seamless as possible to the end users. But there are ulterior motives for this, to control the people.
For example say China wanted ibm.com to resolve to their own servers, they could hijack the domain off their servers and send it to their own servers. This make DNS in the middle attacks -- even with SSL -- trivial. China for example with at some point ban using DNS servers out of China and block external DNS at the international border routers.
That being said though, the internet domain system would deteriorate if every country got into the business and decided to do their own thing to control their users. After all, this is what it is really about.
Will they have a choice? Would they do any better?
The problem with all this saber-rattling about "control of the Internet" is that there's just too much economic power involved to arbitrarily change anything. Yes, one can complain about U.S. management of DNS (although the system does work rather well), one can complain about what the U.S. might do with DNS (although we haven't done anything yet) but sometimes, change for the sake of change is dangerous. The impact on world economies if DNS were to suffer any significant or long-lasting disruption would be severe. If any major changes or transfer of control of the Domain Name System ever get made, they'd best be made in the light of technological reality and not the immediate political need to stand up to the U.S. Remember what happened with Verisign and SiteFinder? That was just a taste of what might happen to the network if people start squabbling over the roots and waving their dicks around.
Be careful what you wish for.
The higher the technology, the sharper that two-edged sword.
I hope you can understand that no-one else in the world shares even your minimal belief in the US government?
I fixed your spelling but that's minor. I'm a US citizen, but what in the world ever gave you the idea that we the US people actually believe those jerks inside the beltway? I don't trust any of them. I just hope we can survive as a country till Noon Jan 20, 2009. Regardless of who wins the not too well concealed game of musical chairs, we at least will be rid of one 'born again Christian' and can begin to try to heal the pain and suffering of the legacy he leaves behind. They all say 'Trust me' but they want the keys to the lockbox none-the-less. The modern day version of Jim & Tami Bakker, praise the lord, but send me the money.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Q: How do you keep a moron in suspense?
Control over the internet needs to be taken away from the Americans. We need to assure that nobody has "control" over the internet.
What?
What are you talking about? How can giving a secret key to a third-party 'secure DNS'. If I am the only one who has a key to my house and I make an additional copy and give it to a third-party, my house is now less secure. Why are you and the article spinning this as a some greater level of security. Your correction about IP vs DNS spoofing is correct.
Right now, Verisign (or any of the widely-trusted X.509/SSL certificate authorities) can generate fake certificates for arbitrary sites, and your ISP can poison the DNS (from your perspective).
Incompetent government employees (or corrupt or foreign governments) are not the only adversaries we need to deal with. DNSSEC, like the current HTTPS trust system, reduces the number of potential attackers, but it doesn't eliminate them all. We know this, and we deal with it by only vesting a limited amount of trust in these systems.
The discussion should not be about whether or not the US DHS specifically should be given access to the keys; The discussion should be about the importance of minimizing the number of points where the system can be attacked: Only those entities who strictly need the keys in order to administer the DNSSEC system should be given access. The DHS doesn't need DNSSEC keys in order to make DNSSEC work, so the DHS should not get the keys. It's as simple as that.
http://outcampaign.org/
The solution to trusting the root is for trusted institutions to maintain sets of alternate public keys that are used to sign the TLDs, and designing DNSSEC software so you can use your cached version of those keys if you don't trust the root.
There are two reasons for alternate roots, as opposed to alternate trust keys. A theoretical reason would be a political move by somebody, probably the CCTLD owners jointly with the ITU or maybe the UN, to take over the root so the US government would stop annoying them. That might be good. But the real reason was because people wanted to sell alternate TLDs, like .sex and .whateverIfeltlike, back when there were only the original TLDs and CCTLDs; I forget if the early ones dated back to Jon Postel's time or if they were mainly in the period of chaos after he died.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Anybody --- not just the DHS --- can spoof the DNS today. And yet, by all available evidence, DNS spoofing is vanishingly rare. Mutual authentication over the untrusted Internet is a solved problem: TLS provides an end-to-end guarantee that your connection to your banking web application terminates with someone who can vouch for your bank's crypto keys. And you don't simply trust SSL certificates to the government: you also trust a myriad of commercial entitities as well.
This is a red herring on multiple levels. There are lots of places that intelligence agencies can step in to violate your privacy on the Internet; you "trust" an access-layer providers, a number of backbone providers, the owners of the DNS roots, the certificate authorities, Google, and probably 10 more entities. But more importantly, DNSSEC is irrelevant. Nobody depends on it now (it doesn't "exist"now: tell me how my Mac does a secure lookup for Google.com on Speakeasy). It's likely that nobody ever will depend on it. And that's OK, because we have better mechanisms in place. We should spend more effort on adding negotiated opt-in SSL for things besides web and mail, and less on huge infrastructure projects to "secure" one tiny link in the connectivity chain.
Ok, so let's for a moment imagine that in 2009 you will finally make the right decision, elect a trusted man for the job, and that he replaces the circus people that are running your country. Lets assume they are so trustworthy that the international community allows the US to oversee the Internet. Also lets say that ICANN gives out the keys. 4,8,12, years after your country ones again elects a bozo of equal or more potential to desabilize the world. What then? We'll just hope that he won't do too much damage till we can kick him out?
If it happens to be that way i urge you to eat your words. The internet has many years ago stopped beeing a US military project and has turned around beeing a world-wide communication network, much like the telephone. How would you feel if a remote country could just plug you out?
> "you can MitM and actually send forged DNS entries back to the client"
Er, no, that's what DNSSec prevents. Just as SSL stops man in the middle attacks for normal TCP traffic, DNSSec makes sure the domain query responses are authentic. The man in the middle doesn't have the key and cannot sign his forged response; he can only forward legitimate responses.
Evidently, the key to understanding recursion is to begin by understanding recursion. The rest is easy.
If, as a foreign power, your security could be defeated by IP spoofing then, honestly, your security issues are not going to be solved by managing your own root. In fact, if your so inept, then you probably should leave DNS security in the hands of the Russian or Chinese governments because because, frankly, that DNS root of yours is going to be hacked by script kiddies and spammers in no time flat and trash your whole infrastructure impacting your economy. Honestly, having the Chinese or Russian governments spy on you is probably preferable, and their going to do it anyway, root or no root.
... is that better now? All the parent was saying is that any nation whose security is dependent upon a computing resource that is owned and operated by an inimical foreign power is asking for trouble. Whether you consider the United States to be such a foreign power is a separate topic for discussion, and one in which I'm not particularly interested in pursuing.
... we don't own or control the network hardware in your country ... you do.) There are plenty of other things about United States foreign (and domestic!) policies that you could legitimately bitch about (I do, all the time) but our handling of DNS just isn't one of them at this point.
... quite a stretch. Now, if Bush & Co. were to threaten to use our military against any country tried to set up its own Domain Name System or equivalent, you might have a point. You might. But you don't.
There
In any event, I didn't perceive his remarks as being particularly U.S.-centric, although it's popular hereabouts to redirect any commentary about Internet infrastructure into criticisms of U.S. policies. Odd that, of all the various services and protocols that traverse the Internet, we get heat for one that has always been run rather well. We are the ones that have, like it or not, run the roots with more even-handedness than most countries around the world would have. Hell, we even let a bunch of hardline Communist states on board, although none of them seem particularly grateful.
Maybe that bothers you, that you don't really have any valid criticisms of our policies towards "Internet governance". Maybe you'd like to invent some reason to "wrest control of the Internet away from the United States" (whatever that means
China's attitude towards the Internet is one that is, unfortunately, becoming more popular with governments of various stripes. They day will come the people of this planet will wish someone were still managing the global DNS infrastructure with something resembling the United States' largely hands-off approach. Don't count on that though.
God, it sounds like the exact same ideas that the USSR had running puppet governments in the other Soviet States.
I don't know what to do with this one. Comparing 13 or so server banks around the world with a nation that annexed multiple countries by main strength and created a true Empire
The higher the technology, the sharper that two-edged sword.
On yer bike.
No really, what more can we say? You've betrayed our trust. We were told you'd make us safer, you've just made us jumpy and soon, indifferent.
You were invented to solve a problem you can't accurately describe, and you've scotched much of what you passed off as a solution.
You have airports full of marginally-literate former supermarket clerks with badges, lax judgement, their own private X-Ray-Specs so they can see our privates, and nowhere near the training required.
Your partners FBI got their head handed to them this week on Capitol Hill, you've scared the bejeezus out of innocent people to no demonstrable benefit.
We can't wash up at the end of a trip without an extra trip to the store.
You've doubled (sometimes tripled) the time it takes to get from point A to point B in the US. I took me 2h + 2 hr to get to Florida last time. It takes 2hr + 1 hr to get to DC.
Find out what actually works, and do it. "24" is a fictional drama, not a training film.
If it happens to be that way i urge you to eat your words. The internet has many years ago stopped beeing a US military project and has turned around beeing a world-wide communication network, much like the telephone. How would you feel if a remote country could just plug you out?
The whole idea of ICANN as I see it, is to assure that the net works, FOR EVERYONE. And yes, IMO ICANN has made some mistakes, but they pale in comparison to the mistakes that would be made if our government had access to the master keys, and could use the internet as just another weapon, for whatever purpose they might have in mind this week/month/year. That scenario scares me shitless.
The internet has been IMO, the greatest tool ever in terms of understanding our fellow humans. The near instant communications, not between governments who may have an agenda, but between people (who may in fact also have an agenda) has allowed those of us who are willing to learn, to learn what makes the other guy tick. Sadly, we seem to be all too infested with those who not only have an agenda, but are only willing to learn how to use it to their advantage and to hell with everybody else. These are the same individuals/groups/governments that refuse to learn from history, and are therefore doomed to repeat every mistake made over written history, just to see if they can make it work this time around. This is the same bunch who, when it blows up in their faces, always has a ready scapegoat, usually called the other guy...
Besides, we already have the "plug you out" in the form of the RBL, which has been used to unplug an errant domain or country, several times. The point is that this has for the most part, been applied sparingly, and only after repeated warnings to the offending region or country.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
The way of the world is to praise dead saints and prosecute live ones.
-- Nathaniel Howe
I don't think he implied that the US citizens have a lot of trust in their government. I didn't take it that way at least, he was just replying to one solitary, nutjob AC.
Of course they don't trust him. He's a fellow American, and they have no expectation of being able to trust each other.
However, he does represent them very well. As in accurately. Most Americans don't realize just how well, but that's because they live in a bubble, disconnected from reality.
-1 Uncomfortable Truth
Firefox has 44 groups of certification authorities!
Each group seems to be a company which holds (in the case of Verisign) 15 individual certificates.
Each of these certificates can be used to set up a 'trusted' HTTPS connection.
If you don't know what that means, google for "verisign microsoft fake certificate"
I'm as paranoid as the next guy, but I think that haing companies with stellar security track-records like verisign issuing browser certificates is much more of a problem that DHS messing with DNS.
If you're worried about DNS/CAs/??? don't use them. Set up an SSH tunnel or a VPN, exchange keys securely (i.e. off-line, in person, verifying signatures) and live happily ever after.
Honestly, given the general state of computer security this is like complaining that someone might mess with your street-directory while driving a Pinto with "USA forever" stickers through Baghdad in rush-hour.....
Funny you should say that, since one of the objectives of the US government when designing the Internet (ARPANET at the time) was to create a decentralized network that would remain in operation even in the event individual nodes were lost...
Unfortunately, the advent of the DNS system lowered the Internet's ability to do that. It didn't completely eliminate it of course, but back in the day each server on the internet had a hosts file which contained every known system on the network, so even if a few servers went down, all the other servers still had that entire list. With DNS each system on the internet depends on the thirteen [logical, maybe 100+ physical] root DNS servers being available at all times, as well as depending on them to give accurate information for each query.
Anyone with the ability to bring down a mere 100 physical servers, could completely bring the internet to a screeching halt.
Nothing to see here
You know what?
This is one of many cases that show that the US government is really messed up.
They want the keys to something the whole world depends on, and the ability to disrupt it, but deny that to anyone else.
The same goes for the militarization of space: they want to be able to do it, and deny anyone else from doing the same.
The same goes for weapons of mass destruction: they want to keep it, and allow current allies to keep it, yet selectively deny certain current enemies (real or perceived) from having the same.
This double standard, coupled with unilateral actions against the advice and objections of the most of the world, is what makes the current US government so scary.
Indeed this feels like the saying: Gods may do what cattle can't.
Americans can do better than that. You guys used to admired, and yes, envied, but in a good way. The rest of the world looked up to you.
Now this admiration has turned to resentment, and resignation. The rest of the world cannot vote in US presidential elections, yet we are affected by that decision without having a say at all. Sort of like when you rebelled against a king that taxed you without representation.
It is beyond most of the world why you reelected the same administration again, despite of all its short comings, and their continued heavy handed meddling.
The Democrat taking over congress is a good sign.
Please continue to fix this. You indeed can, and you deserve better. The rest of the world deserves better too.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
"Neutral" doesn't mean "treats everyone fairly"; it means "doesn't treat anyone *more* unfairly than everyone else".
In other words, it's perfectly possible to be neutral *and* an asshole. I'm not saying Switzerland is either (I haven't read up on this), but generally speaking, there is no contradiction between your claims and those of the GP.
butter the donkey