DNSSEC and the Geopolitical Future of the Internet

synsynackack writes "The Register reports that the DNSSEC protocol could have some very interesting geopolitical implications, including erosion of the scope of state sovereign powers. The chairman of ICANN, Peter Dengate-Thrush, explained, 'We will have to handle the geo-political element of DNSSEC very carefully.' Experts also explained that split DNS and the DNSSEC protocol don't match very well; technically, it is possible for someone at the interface of the global Internet and a country-wide Internet to strip electronic certificates attached to data and repackage the data with a new one."

DNSSEC is an arduous solution

[rtp]

It's a shame the market didn't go down the DNSCurve (http://dnscurve.org/) road before DNSSEC. DNSSEC as it is currently implemented presents a significant challenge for DNS admins as their job just got more complicated while the tools are still barely capable. BIND with DNSSEC enabled for signing zones and updating your upstream TLD isn't set-it-and-forget-it so I don't see widespread adoption until the implementations are solved with easy point-and-click, set-it-once solutions.

Signing yourdomain.com requires you and .com to perform a transaction (registrar will perform on behalf of .com) that must recur at some interval for KSK and ZSK updates.

Deploying DNSSEC in response to cache poisoning is a lot like deploying TSA to protect the airports. Taking your shoes off and putting toothpaste in a little plastic baggie are kludges.

Re:DNSSEC is an arduous solution

[rtp]

What products are submitting keys upstream on change?

Re:DNSSEC is an arduous solution

[Burdell]

Put down the djb Kool-Aid. DNSCurve and DNSSEC do not address the same thing. DNSCurve is essentially SSL for DNS, which requires some way to establish trust with each server you talk to. Since end-users typically only talk to their ISP's recursive servers, that's not too much work, but it only protects the path from the ISP's servers to the end-users (which ISPs can typically protect themselves). DNSCurve does nothing to authenticate the DNS data itself. DNSSEC, on the other hand, authenticates the data at the source. If you look up foo.bar.com, that record can be signed in the bar.com zone, which has trust anchors in .com, which has trust anchors in the root. It doesn't matter who serves the record to you; you can be sure that the data is valid.

Some ISPs would prefer people to use DNSCurve and think DNS is secure, because it does nothing to protect the data. Those ISPs would still be able to change the results (e.g. all the NXDOMAIN web pages, URL redirects, etc. are still possible). That can't happen with DNSSEC and an authenticating resolver.

DNSSEC is not set-it-and-forget-it because true security requires maintenance. It isn't just a response to cache poisoning attacks, it addresses the security of the whole system.

Clearly what they need to do is just get ride TLDs

There is no reason to have TLDs. They perform no useful purpose other than to line the pockets of scheisters and satisfy the megalomaniacs at ICANN, who would otherwise have to bag groceries for a living.

Re:my first first post

[bruno.fatia]

I was actually testing a theory, that even if the first post is absolutely pointless, there are people that MUST post their replies to the first post. Most topics here have tons replies to the first post, even if its garbage.

Re:distributed solutions please?

[grcumb]

This generation of the internet was initially dismissed as a toy by most companies and governments and the genie got out of the bottle. They won't make that mistake with the next generation.

I disagree with your diagnosis, but I agree wholeheartedly with your conclusion.

Having worked on the Internet since the early 90s, and having benefited from the massive ignorance of how the Internet works that pervaded business past the end of the decade, I feel it's more like business was able to characterise the symptoms but didn't understand the nature of the disease.

In the 90s, people talked a lot about Disruptive Technologies and (forgive me) Paradigm Shifts. They knew that early adopters reaped the greatest rewards, but beyond that they were more or less aimless.

I think of it as the difference between cleverness and intelligence. The people who actually built the Internet had vision, but only learned how to be clever over time. Businesses working on the Internet got clever first, but even today they're just barely beginning to develop a vision about what they want it to be.

Given that their vision resembles Iran- and China-style Internet more than anywhere else, I too find it a troubling one. I worry that some day I'll be the moral equivalent of an aged hippie, longing for the lost freedom of my youth....

Re:And this is a problem ... why?

Every domain has it's own key, and you find a trusted or semi trusted way to get the keys you really care about.

If something is signed with a key you don't trust there is no need to trust that key.

Even simply doing what ssh does and caching the keys of places you have been should be enough to thwart attacks from all but the most industrious.

Re:No, in this case hierarchical is correct

[alexandre]

I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?

And you do realize that domains like .biz, .info, .jobs, and all those new weird domain were only created because they knew every company wouldn't risk not registering their name everywhere they could and that would give them a huge revenue source? Centralized political corruption indeed...

And I'm paying already to get connected, everything should be "intelligence at the border", I'm paying by offering others to use my CPU/RAM/Storage.
Do we really need Facebook/Google to centralize the net when we could all do it?

There is such of waste of computer resource!
And while we're at it, i wish more publicly owned fiber were built as a fair tunnel for ISPs to compete.

It's sad that the biggest super computer on earth are botnets, I just wish it was actually a voluntary citizen network instead...