DNSSEC and the Geopolitical Future of the Internet

synsynackack writes "The Register reports that the DNSSEC protocol could have some very interesting geopolitical implications, including erosion of the scope of state sovereign powers. The chairman of ICANN, Peter Dengate-Thrush, explained, 'We will have to handle the geo-political element of DNSSEC very carefully.' Experts also explained that split DNS and the DNSSEC protocol don't match very well; technically, it is possible for someone at the interface of the global Internet and a country-wide Internet to strip electronic certificates attached to data and repackage the data with a new one."

Clarify something for me...

[AdmiralXyz]

From TFA:

Jim Galvin of Afilias, an expert in DNSSEC, warned that a “split DNS” – where a country effectively sets up its own Internet within its borders and controls access to the global Internet - and the DNSSEC protocol “do not match very well”.

Isn't that a good thing?

Re:Clarify something for me...

[vlm]

If you're running a censored local or national Internet that depends on injecting falsified DNS responses, it's bad.

Fixed that typo for you. Note that it has little to no interaction with IP-level blocking or "semitransparent" web proxies, don't worry, China can still oppress their subjects.

distributed solutions please?

[alexandre]

Another attempt to solve things in a hierarchical way that should have been rather fixed with p2p web of trusts so country and trust their own servers with a great degree than outside ones...
But no, centralized control is much more fun in the eyes of politician who care more about guaranteeing their retirement than freedom for everybody.

Re:distributed solutions please?

[vlm]

Another attempt to solve things in a hierarchical way that should have been rather fixed with p2p web of trusts

False dilemma. You can do both at the same time. BGP IP routing on the net overall is vaguely hierarchical in regards to whom pays for transit and whom peers for free, but is vaguely p2p web of trust in that the DFZ pretty much trust each other to share good routes, or at least folks trust each other at carrier hotels. Some carriers trust some of their customers so much they're practically peering, in that they don't filter their "customers" advertisements, some not so trusting. Whats more P2P than an IXP like MAE-EAST, MAE-WEST, etc, where you trust your BGP peers not to screw up (and they occasionally fail you, of course)

Re:DNSSEC is an arduous solution

[lukas84]

DNSSEC is okay, it's just BIND that sucks. There are several DNS appliance vendors that have fully automated DNSSEC already working. For that matter, the Windows DNS server also sucks on the same level as does bind.

PowerDNS will bring mostly-automated DNSSEC, but it's not done yet.

No, in this case hierarchical is correct

[John.P.Jones]

DNS names are hierarchical. Each TLD is granted authority to manage its subsequent names as it sees fit and so on. Any attempt to secure this system should mirror the authority of the names themselves. Each country can control the distribution and authentication of names within their own TLD and DNSSEC just provides the appropriate level of cooperation for any client to read and validate those signatures.

Decoupling the hierarchical nature of DNS from a separate authentication mechanism that didn't follow this grain would be needlessly complex and could result in ambiguous or inconsistent results.

Re:No, in this case hierarchical is correct

[alexandre]

The fact that you can't get a domain for 0$ implies that this is hierarchical and not free in any sense of the word which worries me and implies struggle about who controls the distribution... I'm no expert on BGB / DNS though.

And yes, p2p usually implies a less than 100% reliability and you might get conflict of namespace or some such problem, but it usually gives users a fairer share in the network and makes the user a citizen instead of a consumer.

Though, this might not be so much of a "p2p vs hierarchical" problem as one of who can trust IANA/ICANN to do the right job globally...

What I'm advocating is just that the more distributed (and not decentralized!) the structure of the network is, the better it'll survive longterm totalitarian control.

Re:Clearly what they need to do is just get ride T

[icebraining]

I disagree. Generic TLDs may be useless, but ccTLDs are useful for use in the rest of the world. I, for example, know when I'm buying something from a web shop with a .PT domain that the owner of that domain is a real company registered in Portugal, so it's easier to get my money back if something goes wrong.

And this is a problem ... why?

[geekgirlandrea]

I'm really not seeing much of a downside here. The greatest feature of public-key cryptography is its potential to undermine the state's ability to interfere with communications.

Re:DNSSEC is an arduous solution

[Kaboom13]

It's a sad state of affairs, but when you think about it, modern ISP's must be treated as a malicious and disruptive man in the middle attack when it comes to DNS. Not only do they constantly interfere in proper dns operation to run various scams, they do so blatantly and with no fear of recrimination. DNSSEC can't get here fast enough, I just hope ISPs don't start rewriting destination addresses to continue their abuse.