Slashdot Mirror
Government Begins Securing Root Zone File
Death Metal notes a Wired piece on the US government beginning the process of securing the root zone file. This is in service of implementing DNSSEC, without which the DNS security hole found by Dan Kaminsky can't be definitively closed. On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root — ICANN, Verisign, or the US government's NTIA.
I have my popcorn ready for the show.
Anyone really thinks any of those organizations should be trusted with this? How about some UN organization instead?
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
Verisign
Pros:
Cons:
US Government
Pros:
Cons:
ICANN
Pros:
Cons:
I'm definitely of the opinion that ICANN should be running it. That said, I don't know everything about the matter, so perhaps there's something that would change my mind. I figure, though, that if it's not broken, don't fix it.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
I vote we just give it to Cowboyneal.
Slashdot Burying Stories About Slashdot Media Owned
I believe DNSSEC is unnecessary to counter the Kaminski attack.
See draft-weaver-dnsext-comprehensive-resolver-00 for how I believe you can secure resolvers against attacks less powerful than MitM, including Kaminski (race-until-win) attacks.
Test your net with Netalyzr
But in the end, who really cares who signs it now - what can be signed once, must be able to be signed again (especially if there is a validity period of the signature), and if the signatory needs to change in the future then it can be changed then. Delaying the signing process is counter-productive, as procrastination in this regard only helps the hackers and not the greater unwashed masses who don't know they need this process to be completed in the first place... Maybe they should ask for comments _after_ they have told us the first signatories name. They will get comments then regardless of who they choose ;)
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam.
Or there could be the Apple version - "BrokebackDNS" :P
One swallow does not a fellatrix make
I know i know, lets give it to some wallstreet bankers!
NO SIG
"Are doomed to reimplement it, poorly. Does anyone have any confidence that the US Government WONT mess this up completely? Give the key to Google or AOL or IBM or something. "
Those who don't understand DNS would recommend giving it to IBM.
Hi. I run the root server that was the first runner up in the contest to administer it, ahead of two other groups. We were actually asked by the gov to advise icann which we did until we realized all they were doing is using us to get away with what they wanted to do, instead of listening to advice on horrific problems. Hint: the mandate specifies icann is a membership organization and 10 years later you still can join and have a vote. Ahem.
During this time and for 5 years before that I run the a root to one of the alternative root zones.
If you think dnssec will fix the problem or that it's the right answer or that it will actually secure it then you and Dan Kaminsky haven't thought about it enough.
But if you wanna go ahead with the broken dnssec model the keys should be held by Paul Vixie. This is all his mess anyway and he already holds the keys to usenet.
Need Mercedes parts ?
How about using a threshold signing scheme?
Here's the ten kilofoot view: each participant p_{1..n} gets a piece of the key. If least t of them (for some 2 <= t <= n) cooperate, they can produce a signature on the input message.
It is widely held that separation of power into legislative, executive and judiciary is a good thing. Here, the roles would be symmetric, but you still get the benefit of no one body of people (or single person) being in control.
Here's an interesting thought: include some of the root server operators in the decision. I haven't done the formal proof, but my understanding is that it'd be simple to create weighted threshold schemes, such that if ten of the $n roots all agree, that counts as one "vote" in the usgov-icann-verisign calculation [just apply some general secure Multiparty Computation protocol to the computation of RSA-signing with Shamir secret shares of the private key]. And, as your child poster says, you may want to include the UN. Not being a citizen of 192 sovereign nations, I don't like the idea of any one nation having a disproportionately large influence over critical infrastructure, should we come to rely on a signed root zone [note: we don't now, because it isn't; that may be useful to put this issue into its proper perspective, or not...].
But no matter who the eligible parties are, I don't think any one of them should be in exclusive control. Use a threshold signing scheme to distribute the power.
One key for Google flying oh so high,
One for Apple for without it fans would moan,
One for IBM what are based in Armonk, NY,
One for the Dark Lord on his dark throne
In the Land of Redmond where the Shadows lie.
One Key to rule them all, One Key to find them,
One Key to bring them all and in the darkness bind them
In the Land of Redmond where the Shadows lie.
Genesis 1:32 And God typed
Can I be the president of your fan club?
NO SIG
I can't think of anyone more qualified.
Yes, I know he's dead, but I still can't think of anyone more qualified.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
"On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root -- ICANN, Verisign, or the US government's NTIA."
ICANN: Organisation situated in the US, can be heavily influenced and controlled the US government
Verisign: Private company that is only interested in profit and is situated mostly in the US thereby it can be heavily influenced and controlled the US government
NTIA: US government
CHOOSE: US, US, or US
American election time!
Knowledge is power. Knowledge shared is power lost.
I can't wait if they get it... Within a couple of years we will all have to start paying for DNS queries. Of course- they will offer to allow your query for free if they can insert ads into every site you go to.
DNSSEC already has provisions to use a multi-signature key, where many organizations each sign it, and these parts are used to make one global key, so that no one person or organization is owner of the root zone file. It doesn't have to go like that.
Right, and those of us from Minnesota know ALL ABOUT your protests at the RNC. Let's see, at this year's RNC in Minneapolis we had mass rioting, bricks thrown through windows of business and destruction of property, an attempted bus-jacking, fires, attacking of delegates from multiple states, throwing feces and urine on delegates, attacking police officers and a vast number of other crimes.
In the pre-RNC raid by the Ramsey County Sherriff's department of the "RNC Welcoming Committee" apartments, police found molotov cocktails, nail bombs, gasoline tanks and other explosives, buckets of urine and all variety of other ordnance. Despite these raids, numerous people were still injured by these people during the riots. Even the liberal mayor of St. Paul applauded the actions of law enforcement and the excellent job they did it keeping the carnage from getting worse.
So, the only thing that makes me wonder what country I'm in is that fact that depraved idiots like you are running around lose. People like you are lower than low, defending these tactics and smearing the law enforcement officers. These were not "peace protesters". These were terrorists and anarchists by anyone's definition, and no quarter should be given to them. And frankly, no quarter will be given to you either. You, luckily for you, are given the right of free speech by the rest of us true American citizens, but I will not stand by and let you spew your garbage and hate without reminding others what really happened in Minneapolis at the RNC. People like you are truly evil and immensely twisted and warped if you can defend any of the violent activities the went on during the "protests" (read: riots). And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.
Beware of bugs in the above code; I have only proved it correct, not tried it.
Except that DNSSEC is DNS. Period. It isn't compatible with DNS, it is DNS. It simply adds some additional records that aren't normally present that a DNS server or resolver can, if configured to, use to verify that the responses come from a valid server. It's not difficult to deploy, all current DNS servers already implement it so it's already deployed. What's difficult is the process of generating the signature chains, since the validity of the signatures at any level depends on the signature chain back to the root be intact and valid. So, if I have silverglass.org signed, the com and root domains also needs to use DNSSEC and sign their records before the DNSSEC records on silverglass.org can be verified.
Note that the signature chain's the critical part. The first question that needs answered, before you can validate any response, is "What's the correct, valid key I should verify this domain's records with?". Fail to solve the problem of answering that question securely, and the system's not secure regardless of anything else it may try to do.