Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNSSEC and the Geopolitical Future of the Internet

Posted by timothy on from the but-everyone-loves-the-king dept.

synsynackack writes "The Register reports that the DNSSEC protocol could have some very interesting geopolitical implications, including erosion of the scope of state sovereign powers. The chairman of ICANN, Peter Dengate-Thrush, explained, 'We will have to handle the geo-political element of DNSSEC very carefully.' Experts also explained that split DNS and the DNSSEC protocol don't match very well; technically, it is possible for someone at the interface of the global Internet and a country-wide Internet to strip electronic certificates attached to data and repackage the data with a new one."

17 of 70 comments (clear)

  1. Clarify something for me... by AdmiralXyz · · Score: 4, Insightful
    From TFA:

    Jim Galvin of Afilias, an expert in DNSSEC, warned that a “split DNS” – where a country effectively sets up its own Internet within its borders and controls access to the global Internet - and the DNSSEC protocol “do not match very well”.

    Isn't that a good thing?

    --
    Dislike the Electoral College? Lobby your state to join the National Popular Vote Interstate Compact.
    1. Re:Clarify something for me... by vlm · · Score: 2, Insightful

      If you're running a censored local or national Internet that depends on injecting falsified DNS responses, it's bad.

      Fixed that typo for you. Note that it has little to no interaction with IP-level blocking or "semitransparent" web proxies, don't worry, China can still oppress their subjects.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  2. distributed solutions please? by alexandre · · Score: 4, Insightful

    Another attempt to solve things in a hierarchical way that should have been rather fixed with p2p web of trusts so country and trust their own servers with a great degree than outside ones...
    But no, centralized control is much more fun in the eyes of politician who care more about guaranteeing their retirement than freedom for everybody.

    1. Re:distributed solutions please? by Anonymous Coward · · Score: 5, Funny

      Your user ID (53) is not only very low, it is also the port number that dns queries are sent to.

    2. Re:distributed solutions please? by vlm · · Score: 2, Insightful

      Another attempt to solve things in a hierarchical way that should have been rather fixed with p2p web of trusts

      False dilemma. You can do both at the same time. BGP IP routing on the net overall is vaguely hierarchical in regards to whom pays for transit and whom peers for free, but is vaguely p2p web of trust in that the DFZ pretty much trust each other to share good routes, or at least folks trust each other at carrier hotels. Some carriers trust some of their customers so much they're practically peering, in that they don't filter their "customers" advertisements, some not so trusting. Whats more P2P than an IXP like MAE-EAST, MAE-WEST, etc, where you trust your BGP peers not to screw up (and they occasionally fail you, of course)

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    3. Re:distributed solutions please? by grcumb · · Score: 3, Interesting

      This generation of the internet was initially dismissed as a toy by most companies and governments and the genie got out of the bottle. They won't make that mistake with the next generation.

      I disagree with your diagnosis, but I agree wholeheartedly with your conclusion.

      Having worked on the Internet since the early 90s, and having benefited from the massive ignorance of how the Internet works that pervaded business past the end of the decade, I feel it's more like business was able to characterise the symptoms but didn't understand the nature of the disease.

      In the 90s, people talked a lot about Disruptive Technologies and (forgive me) Paradigm Shifts. They knew that early adopters reaped the greatest rewards, but beyond that they were more or less aimless.

      I think of it as the difference between cleverness and intelligence. The people who actually built the Internet had vision, but only learned how to be clever over time. Businesses working on the Internet got clever first, but even today they're just barely beginning to develop a vision about what they want it to be.

      Given that their vision resembles Iran- and China-style Internet more than anywhere else, I too find it a troubling one. I worry that some day I'll be the moral equivalent of an aged hippie, longing for the lost freedom of my youth....

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    4. Re:distributed solutions please? by jamesh · · Score: 2, Funny

      I sold it to him. It was getting too many connection attempts.

  3. DNSSEC is an arduous solution by rtp · · Score: 2, Interesting

    It's a shame the market didn't go down the DNSCurve (http://dnscurve.org/) road before DNSSEC. DNSSEC as it is currently implemented presents a significant challenge for DNS admins as their job just got more complicated while the tools are still barely capable. BIND with DNSSEC enabled for signing zones and updating your upstream TLD isn't set-it-and-forget-it so I don't see widespread adoption until the implementations are solved with easy point-and-click, set-it-once solutions.

    Signing yourdomain.com requires you and .com to perform a transaction (registrar will perform on behalf of .com) that must recur at some interval for KSK and ZSK updates.

    Deploying DNSSEC in response to cache poisoning is a lot like deploying TSA to protect the airports. Taking your shoes off and putting toothpaste in a little plastic baggie are kludges.

    1. Re:DNSSEC is an arduous solution by lukas84 · · Score: 3, Insightful

      DNSSEC is okay, it's just BIND that sucks. There are several DNS appliance vendors that have fully automated DNSSEC already working. For that matter, the Windows DNS server also sucks on the same level as does bind.

      PowerDNS will bring mostly-automated DNSSEC, but it's not done yet.

    2. Re:DNSSEC is an arduous solution by Burdell · · Score: 5, Interesting

      Put down the djb Kool-Aid. DNSCurve and DNSSEC do not address the same thing. DNSCurve is essentially SSL for DNS, which requires some way to establish trust with each server you talk to. Since end-users typically only talk to their ISP's recursive servers, that's not too much work, but it only protects the path from the ISP's servers to the end-users (which ISPs can typically protect themselves). DNSCurve does nothing to authenticate the DNS data itself. DNSSEC, on the other hand, authenticates the data at the source. If you look up foo.bar.com, that record can be signed in the bar.com zone, which has trust anchors in .com, which has trust anchors in the root. It doesn't matter who serves the record to you; you can be sure that the data is valid.

      Some ISPs would prefer people to use DNSCurve and think DNS is secure, because it does nothing to protect the data. Those ISPs would still be able to change the results (e.g. all the NXDOMAIN web pages, URL redirects, etc. are still possible). That can't happen with DNSSEC and an authenticating resolver.

      DNSSEC is not set-it-and-forget-it because true security requires maintenance. It isn't just a response to cache poisoning attacks, it addresses the security of the whole system.

    3. Re:DNSSEC is an arduous solution by Kaboom13 · · Score: 5, Insightful

      It's a sad state of affairs, but when you think about it, modern ISP's must be treated as a malicious and disruptive man in the middle attack when it comes to DNS. Not only do they constantly interfere in proper dns operation to run various scams, they do so blatantly and with no fear of recrimination. DNSSEC can't get here fast enough, I just hope ISPs don't start rewriting destination addresses to continue their abuse.

  4. No, in this case hierarchical is correct by John.P.Jones · · Score: 5, Insightful

    DNS names are hierarchical. Each TLD is granted authority to manage its subsequent names as it sees fit and so on. Any attempt to secure this system should mirror the authority of the names themselves. Each country can control the distribution and authentication of names within their own TLD and DNSSEC just provides the appropriate level of cooperation for any client to read and validate those signatures.

    Decoupling the hierarchical nature of DNS from a separate authentication mechanism that didn't follow this grain would be needlessly complex and could result in ambiguous or inconsistent results.

    1. Re:No, in this case hierarchical is correct by alexandre · · Score: 2, Insightful

      The fact that you can't get a domain for 0$ implies that this is hierarchical and not free in any sense of the word which worries me and implies struggle about who controls the distribution... I'm no expert on BGB / DNS though.

      And yes, p2p usually implies a less than 100% reliability and you might get conflict of namespace or some such problem, but it usually gives users a fairer share in the network and makes the user a citizen instead of a consumer.

      Though, this might not be so much of a "p2p vs hierarchical" problem as one of who can trust IANA/ICANN to do the right job globally...

      What I'm advocating is just that the more distributed (and not decentralized!) the structure of the network is, the better it'll survive longterm totalitarian control.

    2. Re:No, in this case hierarchical is correct by alexandre · · Score: 2, Interesting

      I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?

      And you do realize that domains like .biz, .info, .jobs, and all those new weird domain were only created because they knew every company wouldn't risk not registering their name everywhere they could and that would give them a huge revenue source? Centralized political corruption indeed...

      And I'm paying already to get connected, everything should be "intelligence at the border", I'm paying by offering others to use my CPU/RAM/Storage.
      Do we really need Facebook/Google to centralize the net when we could all do it?

      There is such of waste of computer resource!
      And while we're at it, i wish more publicly owned fiber were built as a fair tunnel for ISPs to compete.

      It's sad that the biggest super computer on earth are botnets, I just wish it was actually a voluntary citizen network instead...

  5. Re:Clearly what they need to do is just get ride T by icebraining · · Score: 2, Insightful

    I disagree. Generic TLDs may be useless, but ccTLDs are useful for use in the rest of the world. I, for example, know when I'm buying something from a web shop with a .PT domain that the owner of that domain is a real company registered in Portugal, so it's easier to get my money back if something goes wrong.

    --
    Dilbert RSS feed
  6. Re:my first first post by bruno.fatia · · Score: 2, Interesting

    I was actually testing a theory, that even if the first post is absolutely pointless, there are people that MUST post their replies to the first post. Most topics here have tons replies to the first post, even if its garbage.

  7. And this is a problem ... why? by geekgirlandrea · · Score: 2, Insightful

    I'm really not seeing much of a downside here. The greatest feature of public-key cryptography is its potential to undermine the state's ability to interfere with communications.