Re: America takes over DNS
On Mon, Apr 02, 2007 at 07:45:08AM -0700, David Conrad wrote: > > Hi, > > >Wouldn't the holder of these keys be the only ones able to spoof > >DNSSEC? > > Yes. This is an assumption of DNSSEC, regardless of who signs the > root. The implication of this (and the fact that emergency key > rollover requires everyone on the planet with a validating resolver > to update the root trust key manually) is that protecting the root > key signing key is a bit important. > > Rgds, > -drc one important attribute of key roll would seem to be the lack of a "flag-day". ... there are at least a couple of proposals that mitigate that particular risk. --bill
Re: America takes over DNS
David Conrad wrote: > the fact that emergency key rollover requires everyone on the planet > with a validating resolver to update the root trust key manually this, in itself, is infeasible and a showstopper. randy
Re: America takes over DNS
Hi, Wouldn't the holder of these keys be the only ones able to spoof DNSSEC? Yes. This is an assumption of DNSSEC, regardless of who signs the root. The implication of this (and the fact that emergency key rollover requires everyone on the planet with a validating resolver to update the root trust key manually) is that protecting the root key signing key is a bit important. Rgds, -drc
Re: America takes over DNS
All, this was inaccurate reporting and no organizational entity has been specified to be the "master key" signer. There has been much discussion about moving DNSsec forward by our S&T folks to increase the level of security provided but we've been very much a facilitating role through S&T's work in this space. If Doug is lurking out there he can provide much more info or insight into this. Jerry - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Monday, April 02, 2007 4:23 AM Subject: RE: America takes over DNS The US Department of Homeland Security (DHS) ... wants to have the key to sign the DNS root zone solidly in the hands of the US government. This ultimate master key would then allow authorities to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system's root zone on the Internet. The "key-signing key" signs the zone key, which is held by VeriSign. Very interesting because it is the second story on the list this weekend which highlights that DNS domain registries (and ultimately the root zone) are a single point of failure on the Internet. Wouldn't the holder of these keys be the only ones able to spoof DNSSEC? And if the criminal community ever cracks DHS (through espionage or bribery) to acquire these keys, what would be the result. I just don't see how adding another single point of failure to the DNS system, in the form of a master key, helps to strengthen the DNS overall. It is probably time to start looking at alternative naming systems. For instance, we have a much better understanding of P2P technology these days and a P2P mesh could serve as the top level finder in a naming system rather than having a fixed set of roots. We have a better understanding of webs of trust that we could apply to such a mesh. Given that the existing DNS is built around two disctinct classes of IP address, i.e. stable ones that always lead to a root nameserver, and unstable ones which lead to other Internet hosts, could we not design a more flexible naming system around that concept? Could we not have more than 13 stable IP addresses in the net? Could we not leverage something like route servers in order to find the root of a local naming hierarchy? Now that well-educated and technically sophisticated criminal groups are attacking the DNS on multiple fronts, we need to be looking at alternatives to DNS for naming hosts. We need to get such alternative systems out into the wild where they can be tested. To date, we have seen some small amount of innovative thinking around DNS that has been tested. For instance, alternative roots which have failed in the wild and anycasting which has been a great success. But these things do not address the core technical problems of the whole DNS system. --Michael Dillon
RE: America takes over DNS
> > [unicity of names] does not exist in DNS unless you take an > > extremely narrow technical view. > > I thought that NANOG was for extremely narrow technical > discussions. For bold "We will replace the DNS and IP while we're at > it" discussions, there are other forums :-) Yes, I was suprised when you replied to that message. In any case, NANOG definitely *IS* the right place to discuss replacing IP, although I don't expect much discussion until there is more IPv6 implementation in the USA. And I never proposed replacing DNS and IP at the same time. One transition at a time is enough to deal with. As for "other forums", your claim would be more credible if you would identify these other forums. As far as I know there is not currently any forum that is seriously studying a replacement for the current DNS architecture. If I'm wrong, please provide details. -- Michael Dillon
RE: America takes over DNS
> Problems I can see with this would be when someone on the P2P begins > injecting false data into a stream. How would the mesh be > structured so > as to avoid this. There is a lot of literature about P2P networking in its many variations. The nice thing is that it is mostly freely available on the net, unlike in some other scientific disciplines where more and more research is locked away behind electronic journal providers which charge atrociously high rates for a single article. Some Google searches to get started: p2p small-world pdf p2p chord pdf p2p kademlia pdf p2p dht pdf p2psim Chances are, that one of the more mathematically oriented researchers looking at graph theory and distributed hash tables, has already solved the problem. All you have to do is find it and apply it to a root replacement for a naming service hierarchy. --Michael Dillon
Re: America takes over DNS
On Mon, Apr 02, 2007 at 01:09:48PM +0200, Peter Dambier <[EMAIL PROTECTED]> wrote a message of 85 lines which said: > The Racines Libres have failed? > > There are so many out there that we cannot count them any longer. That's true. Dozens of first-year CS students have set up one and then tried to impress a girlfriend by claiming "I am now independant from the Evil ICANN". > I have never seen a personal root-server attacked. I can attack yours, if you want more credibility.
Re: America takes over DNS
On Mon, Apr 02, 2007 at 12:23:43PM +0100, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote a message of 58 lines which said: > [unicity of names] does not exist in DNS unless you take an > extremely narrow technical view. I thought that NANOG was for extremely narrow technical discussions. For bold "We will replace the DNS and IP while we're at it" discussions, there are other forums :-)
Re: America takes over DNS
[EMAIL PROTECTED] wrote: Very interesting because it is the second story on the list this weekend which highlights that DNS domain registries (and ultimately the root zone) are a single point of failure on the Internet. Wouldn't the holder of these keys be the only ones able to spoof DNSSEC? And if the criminal community ever cracks DHS (through espionage or bribery) to acquire these keys, what would be the result. A single bodied government which holds the keys to this is quite possibly a bigger problem than what we currently have. Way too much censorship if you ask me. Not to get super political here, but there is far too much going as it is concerning what can be said, shown, viewed by too many organizations in power as is. Given that the existing DNS is built around two disctinct classes of IP address, i.e. stable ones that always lead to a root nameserver, and unstable ones which lead to other Internet hosts, could we not design a more flexible naming system around that concept? Could we not have more than 13 stable IP addresses in the net? Could we not leverage something like route servers in order to find the root of a local naming hierarchy? Problems I can see with this would be when someone on the P2P begins injecting false data into a stream. How would the mesh be structured so as to avoid this. Perhaps using the same methods as ICANN, or NANOG, a group of say 50 companies can be designated the task of maintaining root servers on a revolving basis. The server could be configured in secure fashion (whatever this means nowadays) with maybe checksums and pass off the information to one another. E.g.: Verified Lookup User --> whois something.com --> nameserver1 nameserver1 --> I see something.com at 11.11.11.11 --> nameserver2 nameserver1 --> where do you see it nameserver2 nameserver2 --> I see it at 11.11.11.11 --> nameserver1 nameserver1 --> something.com is at 11.11.11.11 --> User Problematic Lookup User --> whois something.com --> nameserver1 nameserver1 --> I see something.com at 11.11.11.11 --> nameserver2 nameserver1 --> where do you see it nameserver2 nameserver2 --> I see it at 22.11.11.11 --> nameserver1 nameserver2 --> where DO YOU SEE something.com --> nameserver3 nameserver3 --> something.com is at 11.11.11.11 --> nameserver1 nameserver1 --> After double checking go to 11.11.11.11 --> user Creating entries: nameserver1: something.com is at 11.11.11.11 let's create a hash # sample hashing using md5 and sha $ echo "something.com 11.11.11.11"|shasum 8cb7294f15be3f5b95d24f0e9bf77a57d95345fb $ echo "something.com 11.11.11.11"|md5 c48af0b24a9014ccdce8b1233ffbb052 Both combined: 8cb7294f15be3f5b95d24f0e9bf77a57d95345fbc48af0b24a9014ccdce8b1233ffbb052 Enforced Lookup: User --> whois something.com --> nameserver1 nameserver1 --> Let me check my entry... nameserver1 --> 8cb7294f15be3f5b95d24f0e9bf77a57d95345fbc48af0b24a9014ccdce8b1233ffbb052 nameserver1 --> After checking go to 11.11.11.11 --> user Re-enforced Lookup: User --> whois something.com --> nameserver1 nameserver1 --> Let me check my entry... nameserver1 --> 8cb7294f15be3f5b95d24f0e9bf77a57d95345fbc48af0b24a90 nameserver1 --> Not what I have. What do you see --> namerserver2 nameserver2 --> 8cb7294f15be3f5b95d24f0e9bf77a57d95345fbc48af0b24a9014ccdce8b1233ffbb052 nameserver2 --> Something fishy there --> nameserver1 nameserver1 --> Unresolved domain --> User Any nameserver can now compare that kind of hash before it sends out replies. If the hash matches, it's legit, if not, obviously there's a problem. What I can see happening with something like this would be DNS administrators having to recalculate hashes whenever they renumber one of their machines. Something like this would also deter "criminal gangs" from fiddling with DNS since it would likely be too difficult to counter. Hijackings could possibly cease, as well as the possibility of reducing malware if done correctly. My guess is load balancing, round robin DNS, etc., could affect this, but I'm sure other engineers here can figure out something better than allowing any government from intervening and trying to maintain what's perhaps one of the most fragile functions on the Internet. Maybe even multiple checksums for sites doing above-mentioned (load balancing, etc.) -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature
RE: America takes over DNS
> > It is probably time to start looking at alternative naming > > systems. For instance, we have a much better understanding of P2P > > technology these days and a P2P mesh could serve as the top level > > finder in a naming system rather than having a fixed set of roots. > > The only serious (?) proposal I've seen until now, CoDoNS > (http://www.cs.cornell.edu/people/egs/beehive/codons.php), uses > DNSSEC, so it has the same dependency on the US government. My message was not an encoded support message for any specific product or implementation. If anything, it was a call for research help. I realize is not a short term fix, but a problem like this needs to be attacked on many fronts at once. > > better understanding of webs of trust that we could apply to such a > > mesh. > > You mix up *resolution* of names (which could be done by a P2P mesh > like CoDoNS, replacing the root name servers) and *registration* of > names, which have to be hierarchical if you want to preserve unicity > of names. And this is the important point of control (the root name > servers are not controlled by the US government, unlike the > registration root). If there is a P2P mesh holding pointers to servers which provide namespace resolution, then you have a trust issue. How do you know that you can trust the part of the P2P mesh that you are talking to? How do the mesh members trust each other? This is where the web-of-trust approach is useful. Once such a mesh is in place, you no longer need the root of the hierarchy to be rigidly controlled by a single entity. It could be managed by some sort of confederation, rather like IP addressing is controlled by the RIRs, IANA and the NRO. It is the rigid control of the root if the naming hierarchy that leads to the single point of failure issue. And in fact, unicity of names is an illusion. It certainly does not exist in the real world and it does not exist in DNS unless you take an extremely narrow technical view. For instance, what about all those tasting domains that contain amazon or ebay in the name? Or in Russia where Cyrillic domain names are sometimes transliterated to ASCII characters using a French-based system (e.g. Iouri) or transliterated to ASCII using and English-based system (e.g. Yuri) or translated to English (e.g. George). But in the .ru registry, three independent entities could register iouri.ru, yuri.ru, and george.ru. Not to mention the fact that Russian domain names are often printed as .py in advertising which happens to be the TLD for Paraguay. > So, you've not solved the problem. I never claimed to have solved any problem. In fact, I think my message was more a statement of requirements than a solution. If the researchers manage to come up with a workable system for multiple namespaces as a result, then so much the better. DNS may not be forever. --Michael Dillon.
Re: America takes over DNS
The Racines Libres have failed? There are so many out there that we cannot count them any longer. I think the only failure is the "single point of failure root". They have failed to be trustworthy. It is so easy, get a copy of a trustworthy root-zone and run your own root. From time to time compare your root to the others and fix any diffs. Better take the authoritative servers and fix your root-zone. I have never seen a personal root-server attacked. The single point of failure root gets attacked once per hour, because every hour it is 8 o'clock in the morning on some place and all those windows boxes get switched on. Cheers Peter and Karin Dambier [EMAIL PROTECTED] wrote: The US Department of Homeland Security (DHS) ... wants to have the key to sign the DNS root zone solidly in the hands of the US government. This ultimate master key would then allow authorities to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system's root zone on the Internet. The "key-signing key" signs the zone key, which is held by VeriSign. Very interesting because it is the second story on the list this weekend which highlights that DNS domain registries (and ultimately the root zone) are a single point of failure on the Internet. Wouldn't the holder of these keys be the only ones able to spoof DNSSEC? And if the criminal community ever cracks DHS (through espionage or bribery) to acquire these keys, what would be the result. I just don't see how adding another single point of failure to the DNS system, in the form of a master key, helps to strengthen the DNS overall. It is probably time to start looking at alternative naming systems. For instance, we have a much better understanding of P2P technology these days and a P2P mesh could serve as the top level finder in a naming system rather than having a fixed set of roots. We have a better understanding of webs of trust that we could apply to such a mesh. Given that the existing DNS is built around two disctinct classes of IP address, i.e. stable ones that always lead to a root nameserver, and unstable ones which lead to other Internet hosts, could we not design a more flexible naming system around that concept? Could we not have more than 13 stable IP addresses in the net? Could we not leverage something like route servers in order to find the root of a local naming hierarchy? Now that well-educated and technically sophisticated criminal groups are attacking the DNS on multiple fronts, we need to be looking at alternatives to DNS for naming hosts. We need to get such alternative systems out into the wild where they can be tested. To date, we have seen some small amount of innovative thinking around DNS that has been tested. For instance, alternative roots which have failed in the wild and anycasting which has been a great success. But these things do not address the core technical problems of the whole DNS system. --Michael Dillon -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: America takes over DNS
On Mon, Apr 02, 2007 at 09:23:32AM +0100, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote a message of 46 lines which said: > It is probably time to start looking at alternative naming > systems. For instance, we have a much better understanding of P2P > technology these days and a P2P mesh could serve as the top level > finder in a naming system rather than having a fixed set of roots. The only serious (?) proposal I've seen until now, CoDoNS (http://www.cs.cornell.edu/people/egs/beehive/codons.php), uses DNSSEC, so it has the same dependency on the US government. > better understanding of webs of trust that we could apply to such a > mesh. You mix up *resolution* of names (which could be done by a P2P mesh like CoDoNS, replacing the root name servers) and *registration* of names, which have to be hierarchical if you want to preserve unicity of names. And this is the important point of control (the root name servers are not controlled by the US government, unlike the registration root). So, you've not solved the problem.
RE: America takes over DNS
> The US Department of Homeland Security (DHS) ... > wants to have the key to sign the DNS root zone > solidly in the hands of the US government. > This ultimate master key would then allow > authorities to track DNS Security Extensions > (DNSSec) all the way back to the servers that > represent the name system's root zone on the > Internet. The "key-signing key" signs the zone > key, which is held by VeriSign. Very interesting because it is the second story on the list this weekend which highlights that DNS domain registries (and ultimately the root zone) are a single point of failure on the Internet. Wouldn't the holder of these keys be the only ones able to spoof DNSSEC? And if the criminal community ever cracks DHS (through espionage or bribery) to acquire these keys, what would be the result. I just don't see how adding another single point of failure to the DNS system, in the form of a master key, helps to strengthen the DNS overall. It is probably time to start looking at alternative naming systems. For instance, we have a much better understanding of P2P technology these days and a P2P mesh could serve as the top level finder in a naming system rather than having a fixed set of roots. We have a better understanding of webs of trust that we could apply to such a mesh. Given that the existing DNS is built around two disctinct classes of IP address, i.e. stable ones that always lead to a root nameserver, and unstable ones which lead to other Internet hosts, could we not design a more flexible naming system around that concept? Could we not have more than 13 stable IP addresses in the net? Could we not leverage something like route servers in order to find the root of a local naming hierarchy? Now that well-educated and technically sophisticated criminal groups are attacking the DNS on multiple fronts, we need to be looking at alternatives to DNS for naming hosts. We need to get such alternative systems out into the wild where they can be tested. To date, we have seen some small amount of innovative thinking around DNS that has been tested. For instance, alternative roots which have failed in the wild and anycasting which has been a great success. But these things do not address the core technical problems of the whole DNS system. --Michael Dillon
Re: America takes over DNS
On Sun, 1 Apr 2007, David Conrad wrote: > > Hi, > > On Apr 1, 2007, at 6:54 AM, J. Oquendo wrote: > > Summary: > > Confusion resulting from hearsay and extrapolations. > > > The "key-signing key" signs the zone key, which is held by VeriSign. > > Except that the root zone hasn't been signed and there are no plans I > am aware of do so (and I think I'd probably know). In one possible > scenario, VeriSign would hold the zone signing key which would be > signed by the key signing key. Who holds the KSK hasn't been > established. > > However, in reality, nothing would change. Even if the root were to > be signed, who signs it doesn't really matter -- the USG already must > approve any changes made to the root zone. And of course, it can only approve "Willing changes". > > Rgds, > -drc >
Re: America takes over DNS
Hi, On Apr 1, 2007, at 6:54 AM, J. Oquendo wrote: Summary: Confusion resulting from hearsay and extrapolations. The "key-signing key" signs the zone key, which is held by VeriSign. Except that the root zone hasn't been signed and there are no plans I am aware of do so (and I think I'd probably know). In one possible scenario, VeriSign would hold the zone signing key which would be signed by the key signing key. Who holds the KSK hasn't been established. However, in reality, nothing would change. Even if the root were to be signed, who signs it doesn't really matter -- the USG already must approve any changes made to the root zone. Rgds, -drc
America takes over DNS (re: On-going Internet Emergency and Domain Names)
Summary: The US Department of Homeland Security (DHS) ... wants to have the key to sign the DNS root zone solidly in the hands of the US government. This ultimate master key would then allow authorities to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system's root zone on the Internet. The "key-signing key" signs the zone key, which is held by VeriSign. http://www.heise.de/english/newsticker/news/87655 -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey