ICANN Sets Plan To Reinforce Internet DNS Security (networkworld.com)

← Back to Stories (view on slashdot.org)

ICANN Sets Plan To Reinforce Internet DNS Security (networkworld.com)

Posted by msmash on Thursday September 20, 2018 @05:15AM from the moving-forward dept.

coondoggie shares a report: In a few months, the internet will be a more secure place. That's because the Internet Corporation for Assigned Names and Numbers (ICANN) has voted to go ahead with the first-ever changing of the cryptographic key that helps protect the internet's address book -- the Domain Name System (DNS). The ICANN Board at its meeting in Belgium this week, decided to proceed with its plans to change or "roll" the key for the DNS root on Oct. 11, 2018. It will mark the first time the key has been changed since it was first put in place in 2010. During its meeting ICANN spelled out the driving forces behind the need for improved DNS security that the rollover will bring. For example, the continued evolution of Internet technologies and facilities, and deployment of IoT devices and increased capacity of networks all over the world, coupled with the unfortunate lack of sufficient security in those devices and networks, attackers have increasing power to cripple Internet infrastructure, ICANN stated.

"Specifically, the growth in attack capacity risks outstripping the ability of the root server operator community to expand defensive capacity. While it remains necessary to continue to expand defensive capacity in the near-term, the long-term outlook for the traditional approach appears bleak," ICANN stated. The KSK rollover means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, according to ICANN. Such resolvers run software that converts typical addresses like networkworld.com into IP network addresses. Resolvers include: internet service providers, enterprise network administrators and other DNS resolver operators, DNS resolver software developers; system integrators, and hardware and software distributors who install or ship the root's "trust anchor," ICANN said.

26 of 106 comments (clear)

Min score:

Reason:

Sort:

As a side effect, centralizing a decentralized net by Anonymous Coward · 2018-09-20 05:19 · Score: 1

And CAs are going to run this madhouse. Brilliant!
Roll over by shayd2 · 2018-09-20 05:35 · Score: 1

Play dead
Good dog
Re:"rotate" the key by Anonymous Coward · 2018-09-20 05:49 · Score: 1

It's a key rollover event
https://www.icann.org/resources/pages/ksk-rollover
ICANN can go to hell by damn_registrars · 2018-09-20 05:57 · Score: 1

They continue to do what is best for profit, not what is best for users. Sure, this is important but don't think it isn't being driven by profit. At least there is some user benefit to this though, as opposed to their catastrophically awful decision years back to start selling gTLDs.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. Re:ICANN can go to hell by Pascoea · 2018-09-20 06:13 · Score: 1
  
  I'm curious what your opposition to gTLDs are? Genuinely asking, not trying to be a smart-ass.
2. Re:ICANN can go to hell by damn_registrars · 2018-09-20 06:53 · Score: 2
  
  My opposition to it is that when someone buys a gTLD they become their own registration authority for all domains in that domain and they set what kind of contact information is required for registrants in that range. This makes it the ultimate spammer's (or spamvertised domain owner's) harbor as it can completely remove liability and responsibility. The owner of the gTLD also has authority to hand out arbitrary numbers of domains at their own whim, again making it trivially easy for spammers to bounce around and avoid detection.
  
  And we cannot filter our way out of this, either. We've seen filters get demonstrably worse in recent years as the spammers get better and better at breaking them.
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
3. Re:ICANN can go to hell by damn_registrars · 2018-09-20 07:55 · Score: 1
  
  I also wrote about this in a journal entry back in 2015 when they made the terrible decision to start selling gTLDs , though of course nobody cared then either. I'm pretty sure folks here on drugedot just called me a damned communist at the time, for getting in the way of profit or something. Now they just call me a damned communist anytime I say anything at all.
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
4. Re:ICANN can go to hell by thegarbz · 2018-09-20 20:42 · Score: 1
  
  And we cannot filter our way out of this, either.
  
  Block the gTLD. Seriously how often have you legimitely needed to access to a TLD. Nike own .nike, but frankly I don't even know how to access the damn thing.
5. Re:ICANN can go to hell by AmiMoJo · 2018-09-21 00:39 · Score: 1
  
  GDPR limits what information a whois database can record about domain owners anyway. DNS records are not the right tool for this.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
6. Re:ICANN can go to hell by damn_registrars · 2018-09-21 01:34 · Score: 1
  
  And we cannot filter our way out of this, either.
  Block the gTLD.
  You're just playing whac-a-mole then. The spammers can buy as many gTLDs as they want and essentially there are no restrictions on what they can be. Block one and another will come up. And how do you propose blocking it anyways? The emails will come from regular domains but they are spamming for domains in new gTLDs, using obfuscated domain names so you can't pick up on it easily. You can't detect a new gTLD in an email if it isn't in there and you probably don't want to block every email with a bit.ly (or similar) link.
  
  ICANN let the fucking foxes into the hen house and told us this is nature's way.
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
7. Re:ICANN can go to hell by damn_registrars · 2018-09-21 02:34 · Score: 1
  
  The WHOIS database is supposed to have valid contact information (even if obfuscated) for a domain so that it can be contacted in cases of abuse. With the sale of gTLDs that all goes out the window, gTLD owners can put - or omit - whatever they want in that record. Now there is no way to contact a domain owner, and no way to start a paper trail showing that you attempted to contact them. It was hard enough to do anything against prolific spammers (and owners of prolifically spamvertised domains) but now it will get nearly impossible. Couple that to my other comment about the fact that owners no longer have any responsibility if they are under a new gTLD and we have the perfect storm for spammers. And don't pretend that your email can somehow be filtered for these new domains, there is no good way to do that when they can make them at will.
  
  In fact their ability to make new domains - and gTLDs - at will also pushes down the S:N ratio and essentially devalues spam filters that much more.
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
8. Re:ICANN can go to hell by thegarbz · 2018-09-21 04:59 · Score: 1
  
  No I didn't mean block a specific one. I meant block the gTLDs that are being generated or rather the reverse Whitelist the country TLDs. I legitimately believe if you do that nothing will break anywhere.
  At least not yet. No doubt Google will screw this idea up so we need to get in before they start making things dependent on their TLD.
9. Re:ICANN can go to hell by damn_registrars · 2018-09-21 05:17 · Score: 1
  
  No I didn't mean block a specific one. I meant block the gTLDs that are being generated or rather the reverse Whitelist the country TLDs. I legitimately believe if you do that nothing will break anywhere.
  It won't break anything but I doubt it will accomplish what you're after. They will send the spam from a domain that isn't in the spamvertised gTLD (to reduce the chance of detection). Inside the spam will be a link that is obfuscated to look like a traditional .com link. Filtering by new gTLDs - or whitelisting to ignore all of them so you don't need to build a blacklist - won't get rid of those.
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
10. Re:ICANN can go to hell by thegarbz · 2018-09-21 09:04 · Score: 1
  
  But if you can't eliminate them by whitelisting country TLDs then surely the resulting problem wasn't caused by TLDs in the first place ... Or am I not understanding your example?
11. Re:ICANN can go to hell by damn_registrars · 2018-09-21 09:15 · Score: 1
  
  My complaint here - and I may have wandered a bit away from it - is that there is no avenue to follow to take action against spamming and spamvertised domains if they are registered under new gTLDs. The reason for this is that the owners of the top of the new gTLDs don't have any obligation to follow any kind of registration rules for domains in their gTLDs, they can freely take invalid or even empty registration information.
  
  Now, of course we know that many times if you contact a registrar (or registrant) with an abuse complaint, nothing happens. Spam keeps going, the domain stays up, etc. However it is a key starting point if you want to try to take legal action against the spammer, the spamvertised domain owner, or the registrar of either. But when there is no valid contact info, you can't show that you ever attempted to do that. And when the registrar themselves has no valid info, you can't reach out to them either. ICANN has already committed to not being involved, which leaves you with nothing. You just have to accept the spam and deal with it, you can't stop it from coming.
  
  I will add at this point something that I say often but haven't said in this discussion.
  
  Spam is an economic problem
  
  All the filtering in the world won't stop it, spammers will keep finding ways to get around filters. The only way it can be stopped is by stopping the money; spammers will only stop if money isn't coming in. However if you don't have any valid information you can't do anything to interfere with the money flow. This is the road that ICANN is leading us down.
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
12. Re:ICANN can go to hell by damn_registrars · 2018-09-23 14:05 · Score: 1
  
  Looking at my reply again, I apologize if it looks like I was trying to come down hard on you, that was not my intention. The emphasis was largely due to the fact that slashdot discussions get closed after a certainly amount of time - and total reader attention (in terms of people reading the discussion) declines quickly as articles fall off the front page as well. I just wanted to make my point more clear since it seemed I had neglected to emphasize it earlier.
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
13. Re:ICANN can go to hell by thegarbz · 2018-09-24 01:42 · Score: 1
  
  No probs. I didn't reply in general because I didn't have anything more to say on the topic.
  You're absolutely right, this closes off a lot of legal avenues to get at spammers and whitelisting domains only solves the problems directly for the receiver of said spam.
Re:As a side effect, centralizing a decentralized by Bengie · 2018-09-20 06:08 · Score: 2

You can choose to not validate. It's a fundamental issue that there have to be an authority of some sort if you want to validate against an authority.
Re:"rotate" the key by Anonymous Coward · 2018-09-20 06:16 · Score: 1

ICANN used "roll" in their press release. https://www.icann.org/resources/press-material/release-2018-09-18-en
Feel free to check the source material before you try and correct the author.
How to check you're ready for the KSK rollover: by Anonymous Coward · 2018-09-20 06:58 · Score: 3, Informative

https://www.icann.org/dns-resolvers-checking-current-trust-anchors
Read the RFC (was Re:"rotate" the key) by Anonymous Coward · 2018-09-20 07:13 · Score: 1

The professional response is: Right or wrong, RFC 5011, section 6.3 uses the term 'roll'
Stopping to your level, the response is: read the RFCs before you write your next comment.
The whole idea of the Certificate Authority sucks by Seven+Spirals · 2018-09-20 07:44 · Score: 1

One big lying corporate wingtip asshole company says that this other big lying corporate group of sons-of-bitches (and regular bitches) is to be trusted! Oh? Really? Guys, I gotta say, the whole premise of crypto-CAs is kinda stupid as long as the asshats corporations are all policing each other. Maybe *they* have some faith in that shit, but as an individual technologist (that hates corporations and corporate personhood) I have to say that the flaws in x509 crypto isn't crypto - it's the source of trust. Don't ask me to trust *ANY* corporation. If you start with that, you start with a flawed design. Fuck those people. We need a better system.
Re:The whole idea of the Certificate Authority suc by Seven+Spirals · 2018-09-20 07:47 · Score: 1

How about a system that's based on individual trust of people? Ie.. If I trust two friends and both of them say that this non-profit 501c is at least trustworthy enough to believe their website, they cryto-sign something to that affect publically? This is similar to PGP/GPG's web-of-trust. Sure, there are still some logistics problems with that, but at least it puts the trust in people not companies.
Re:The whole idea of the Certificate Authority suc by WindBourne · 2018-09-20 09:08 · Score: 1

Actually, I am pushing my CONgress critter to understand that we need VETTED Certificates/PPK. The only way to do that is to have brick/mortars that will vet an ID, and then either issue a certificate/private key, while serving up the public key, OR even take the public key/certificate from the vetted person . When you think about it, this does not belong in gov purview, NOR in individuals controls (that is, you vet a friend and your friend falsely vetted somebody else because they were not paying attention).

There is really only choice on this, and it would the postal mails from each nation.

With this approach, then gov, businesses, social media sites, etc can KNOW that if you are claiming to be someone, then you are them. For example, on /., it should be possible for me say no more ACs that are below a certain level (say 4). Now if I register a login, I should start at say 1, and increase if I am being modded up. Then if I am a login that also gave in my cert, I could then start at say 3 or even 4. Why start somebody that much higher? Because if they screw it up, then it is their only vetted login. They do not get to have multiple vetted logins. As such, they have a lot riding on their postings to make sure they are polite, etc.

Same way with ads. If I was Facebook/Google and I get a political ad, I want to know that it is an American company, with a vetted American backing it (i.e. somebody has to be responsible) . If they can not produce both, then no posting the ad.

--
I prefer the "u" in honour as it seems to be missing these days.
Re:The whole idea of the Certificate Authority suc by Seven+Spirals · 2018-09-20 09:59 · Score: 1

That rocks. Good idea, brother.
Domain Squatters by muphin · 2018-09-20 11:33 · Score: 1

How about they focus on Domain Squatters, most of the domains arent usable because they are held for advertising or overpriced to make money off them.

--
It's not a typo if you understood the meaning!