Slashdot Mirror
DHS Wants Master Key for DNS
An anonymous reader writes "At an ICANN meeting in Lisbon, the US Department of Homeland Security made it clear that it has requested the master key for the DNS root zone. The key will play an important role in the new DNSSec security extension, because it will make spoofing IP-addresses impossible. By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort. There's a further complication, of course, because even 'if the IANA retains the key ... the US government still reserves the right to oversee ICANN/IANA. If the keys are then handed over to ICANN/IANA, there would be even less of an incentive [for the U.S.] to give up this role as a monitor. As a result, the DHS's demands will probably only heat up the debate about US dominance of the control of Internet resources.'"
No. It secures DNS. So you cant spoof domain names. It secures that the DNS Server is authorative so the DNS query was answered right. If somebody spoofes an IP in your network, you won't be saved.
This should ( rightly so ) piss off external entities ( ie: foriegn nations ) enough to have them setup alternative roots. And I, for one, will be using those as apposed to the "secure" ones.
Granted, I won't be fully trusting the information from either set, so it's not as if my system security is dependant on it.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
"and be able to break into computers connected to the Internet without much effort"
Didnt know that spoofing an IP what all it took to break into a computer.....
http://www.intellipool.se/ - Intellipool Network Monitor
All your IP are belong to us. You are on the way to being rooted. You have no chance to 200 make your time.
When you pry if from my cold dead hands!
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
No where in that article did it say that DNSSEC would prevent spoofed IP Addresses. This is about DNS, not about IP addresses. Also, the fact that the DHS wants they master keys does not mean they'll be able to hack into your computer without any problem. It boggles my mind that this Summary was allowed to hit the main page. wow...just wow.
The truly powerful signing key is for Windows Update. If you have that key, you can take over every Microsoft computer in the world . Change the operating system. Install anything, including a new key. Reboot the machine.
Who has that key? Do we know?
Whoever has both the DNS root key and the Windows Update signing key rules the Internet. Or at least all the Microsoft client systems. They can redirect Windows Update requests to themselves, then download their own update and have it accepted.
Unfortunately, this isn't a joke.
We are denied the key.
We deny having the key.
The only thing new in this world is the history that you don't know.[Harry Truman]
I think this is horrible news, if only because it provides more potential sources for unauthorized personnel to access the key. DHS has no real use for the key, which has as its only purpose the prevention of man-in-the-middle attacks against legitimate websites. DHS has the power to subpoena the owners of those sites for communications details, and terrorists' communications will use other forms of secure handshaking to verify legitimacy if they don't already. The only reason DHS would need these keys is if they wanted the ability to immediately tap into communications w/ legitimate sites, without delaying for a court order or other oversight. Giving them this power would only allow them to fly further out of control.
I've always thought IP spoofing is a weak attack due to routing and ingress filters. Any network worth its salt will block its own addresses from coming in from the outside, but nevertheless routing has to return the TCP ack back to the proper AS#. How does DNSSec override these precautions?
In any case my boxes don't give access to just the IP address, they give access based on private keys, DNS, and the IP address. Another case of government technical cluelessness thinking that the master key unlocks ALL DA COMPUTORS IN DA VERLD?
If you can force a Windows Update cycle, you can change the hard-coded values. Microsoft Update can patch any part of the OS and can force a reboot. (A reboot can be forced on any machine with updates turned on, even if auto reboot is supposedly turned off.)
If you can make changes to DNS, you can change the IP address for "the important *.microsoft.com sites", redirecting the updates to an attack site.
So possession of both of those keys gives full control of all Windows Update enabled clients.
Imagine if there were 2 or more sets of "root" servers which were by and large identical. One under the thumb of the USA and one run by the international community, and maybe one set run by each repressive regime on the planet, e.g. China. All would get authoritative data from domain registrars just like the current root. All would be open to "controlled poisoning" by those who held the keys.
Now, imagine if ISPs or countries worldwide could choose which set of root servers to use. Imagine if ISPs and governments in freer countries could allow their customers to choose their own root if they so desired.
Now imagine a world where ISPs and customers in totally free countries compare results from all available sets of root servers, look for inconsistencies, and if there is an inconsistency, check with the authoritative nameserver for the domain as reported by whois. If the DNS lookup for the whois server was not consistent then it will be handled as an exceptional case: The end-user will get a result that might or might not be correct and technicians will be alerted so they can figure out what the real IP addresses of the whois server are.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Will they have a choice? Would they do any better?
The problem with all this saber-rattling about "control of the Internet" is that there's just too much economic power involved to arbitrarily change anything. Yes, one can complain about U.S. management of DNS (although the system does work rather well), one can complain about what the U.S. might do with DNS (although we haven't done anything yet) but sometimes, change for the sake of change is dangerous. The impact on world economies if DNS were to suffer any significant or long-lasting disruption would be severe. If any major changes or transfer of control of the Domain Name System ever get made, they'd best be made in the light of technological reality and not the immediate political need to stand up to the U.S. Remember what happened with Verisign and SiteFinder? That was just a taste of what might happen to the network if people start squabbling over the roots and waving their dicks around.
Be careful what you wish for.
The higher the technology, the sharper that two-edged sword.
When the story first broke about other nations wanting an independent international body to oversee the root servers and such, I was completely against it. It sounded to me like another pointless stance by the U.N., compounded by the fact that the ARPANet was invented and fleshed out here in the U.S. Not to mention the few unsavory members of the U.N. that would end up with some say as to the future of the Internet.
Now, though, I'm starting to see where I went wrong. I was assuming that the government of the United States could never be as fucked up as the one in, say, China. I was being horribly short-sighted. I should have known that this kind of shit was only a matter of time.
So how much worse could letting the U.N. have control of ICANN be than something like this? I say fuck it. Let them have it, and give it some independent oversight. For the life of me, I cannot believe that I am actually looking to foreign nations to ensure the neutrality and openness of the Internet, but there you have it.
"We may face a scorched and lifeless earth, but they're accountable to their shareholders first."
I'm glad the US government decided to answer themselves the very short-sighted people who are almost in the majority in every ICANN-shouldn't-be-controlled-by-the-US article who ask something like "Who would you trust more to control the Internet, the US government or a body where countries with poor human rights record have a say".
Right now, Verisign (or any of the widely-trusted X.509/SSL certificate authorities) can generate fake certificates for arbitrary sites, and your ISP can poison the DNS (from your perspective).
Incompetent government employees (or corrupt or foreign governments) are not the only adversaries we need to deal with. DNSSEC, like the current HTTPS trust system, reduces the number of potential attackers, but it doesn't eliminate them all. We know this, and we deal with it by only vesting a limited amount of trust in these systems.
The discussion should not be about whether or not the US DHS specifically should be given access to the keys; The discussion should be about the importance of minimizing the number of points where the system can be attacked: Only those entities who strictly need the keys in order to administer the DNSSEC system should be given access. The DHS doesn't need DNSSEC keys in order to make DNSSEC work, so the DHS should not get the keys. It's as simple as that.
http://outcampaign.org/
If, as a foreign power, your security could be defeated by IP spoofing then, honestly, your security issues are not going to be solved by managing your own root. In fact, if your so inept, then you probably should leave DNS security in the hands of the Russian or Chinese governments because because, frankly, that DNS root of yours is going to be hacked by script kiddies and spammers in no time flat and trash your whole infrastructure impacting your economy. Honestly, having the Chinese or Russian governments spy on you is probably preferable, and their going to do it anyway, root or no root.
... is that better now? All the parent was saying is that any nation whose security is dependent upon a computing resource that is owned and operated by an inimical foreign power is asking for trouble. Whether you consider the United States to be such a foreign power is a separate topic for discussion, and one in which I'm not particularly interested in pursuing.
... we don't own or control the network hardware in your country ... you do.) There are plenty of other things about United States foreign (and domestic!) policies that you could legitimately bitch about (I do, all the time) but our handling of DNS just isn't one of them at this point.
... quite a stretch. Now, if Bush & Co. were to threaten to use our military against any country tried to set up its own Domain Name System or equivalent, you might have a point. You might. But you don't.
There
In any event, I didn't perceive his remarks as being particularly U.S.-centric, although it's popular hereabouts to redirect any commentary about Internet infrastructure into criticisms of U.S. policies. Odd that, of all the various services and protocols that traverse the Internet, we get heat for one that has always been run rather well. We are the ones that have, like it or not, run the roots with more even-handedness than most countries around the world would have. Hell, we even let a bunch of hardline Communist states on board, although none of them seem particularly grateful.
Maybe that bothers you, that you don't really have any valid criticisms of our policies towards "Internet governance". Maybe you'd like to invent some reason to "wrest control of the Internet away from the United States" (whatever that means
China's attitude towards the Internet is one that is, unfortunately, becoming more popular with governments of various stripes. They day will come the people of this planet will wish someone were still managing the global DNS infrastructure with something resembling the United States' largely hands-off approach. Don't count on that though.
God, it sounds like the exact same ideas that the USSR had running puppet governments in the other Soviet States.
I don't know what to do with this one. Comparing 13 or so server banks around the world with a nation that annexed multiple countries by main strength and created a true Empire
The higher the technology, the sharper that two-edged sword.
You know what?
This is one of many cases that show that the US government is really messed up.
They want the keys to something the whole world depends on, and the ability to disrupt it, but deny that to anyone else.
The same goes for the militarization of space: they want to be able to do it, and deny anyone else from doing the same.
The same goes for weapons of mass destruction: they want to keep it, and allow current allies to keep it, yet selectively deny certain current enemies (real or perceived) from having the same.
This double standard, coupled with unilateral actions against the advice and objections of the most of the world, is what makes the current US government so scary.
Indeed this feels like the saying: Gods may do what cattle can't.
Americans can do better than that. You guys used to admired, and yes, envied, but in a good way. The rest of the world looked up to you.
Now this admiration has turned to resentment, and resignation. The rest of the world cannot vote in US presidential elections, yet we are affected by that decision without having a say at all. Sort of like when you rebelled against a king that taxed you without representation.
It is beyond most of the world why you reelected the same administration again, despite of all its short comings, and their continued heavy handed meddling.
The Democrat taking over congress is a good sign.
Please continue to fix this. You indeed can, and you deserve better. The rest of the world deserves better too.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.