Slashdot Log In
Government Begins Securing Root Zone File
Posted by
kdawson
on Fri Oct 10, 2008 09:12 AM
from the not-before-time dept.
from the not-before-time dept.
Death Metal notes a Wired piece on the US government beginning the process of securing the root zone file. This is in service of implementing DNSSEC, without which the DNS security hole found by Dan Kaminsky can't be definitively closed. On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root — ICANN, Verisign, or the US government's NTIA.
Related Stories
[+]
Massive, Coordinated Patch To the DNS Released 315 comments
tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
That's going to be interesting. (Score:4, Funny)
It doesn't HAVE to be one signature (Score:3, Informative)
DNSSEC already has provisions to use a multi-signature key, where many organizations each sign it, and these parts are used to make one global key, so that no one person or organization is owner of the root zone file. It doesn't have to go like that.
None of the above (Score:5, Insightful)
Anyone really thinks any of those organizations should be trusted with this? How about some UN organization instead?
Re: (Score:2, Insightful)
Because the UN sucks too? It isn't a symptom of who belongs to the organization, but the very fact that it is a large organization.
Ah, screw it. (Score:5, Funny)
Parent
Re:None of the above (Score:5, Insightful)
The same UN that is comprised of countries that support censorship of political speech? No, thanks. Either give it to an organization of free democracies or hold onto it until such an organization exists.
I'm not flaming, but seriously - look at the UN's track record where they do things like elect Libya to head the Commission on Human Rights. I can already see China chairing the internet commission.
Parent
Re: (Score:3, Insightful)
Really, who should get the root zone file? Nobody is eligible so we either give it to no
Re: (Score:3, Insightful)
The United States are just as ineligible, seeing as they don't care about separating government and big business or keeping the government's powers in check.
I'm still going to rank political speech higher than commercial speech... that's where people really get oppressed. I agree that copyright is a form of censorship, and I would like to see it reformed drastically - but it's not the same as throwing people in jail because they are critical of the people in power.
The UN seem like the safer choice because of more oversight.
Two problems. One, the UN would only be effective if the number of countries opposing censorship was larger than the number that rather like it... unfortunately I think that the censors are in the maj
Re: (Score:3, Insightful)
Yes, some of the UN member states are't too keen on free speech, but then again the United States government isn't, either. Granted, you're not quite on the same level as the worst ones but things li
Re: (Score:3, Interesting)
Leading surveillance societies in the EU and the World 2007 [privacyinternational.org]
Clearly in the lead: China, Russia, US
CC.
You, sir, are evil and twisted. (Score:5, Informative)
Right, and those of us from Minnesota know ALL ABOUT your protests at the RNC. Let's see, at this year's RNC in Minneapolis we had mass rioting, bricks thrown through windows of business and destruction of property, an attempted bus-jacking, fires, attacking of delegates from multiple states, throwing feces and urine on delegates, attacking police officers and a vast number of other crimes.
In the pre-RNC raid by the Ramsey County Sherriff's department of the "RNC Welcoming Committee" apartments, police found molotov cocktails, nail bombs, gasoline tanks and other explosives, buckets of urine and all variety of other ordnance. Despite these raids, numerous people were still injured by these people during the riots. Even the liberal mayor of St. Paul applauded the actions of law enforcement and the excellent job they did it keeping the carnage from getting worse.
So, the only thing that makes me wonder what country I'm in is that fact that depraved idiots like you are running around lose. People like you are lower than low, defending these tactics and smearing the law enforcement officers. These were not "peace protesters". These were terrorists and anarchists by anyone's definition, and no quarter should be given to them. And frankly, no quarter will be given to you either. You, luckily for you, are given the right of free speech by the rest of us true American citizens, but I will not stand by and let you spew your garbage and hate without reminding others what really happened in Minneapolis at the RNC. People like you are truly evil and immensely twisted and warped if you can defend any of the violent activities the went on during the "protests" (read: riots). And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.
Parent
Re: (Score:3)
Re: (Score:3)
Imagine a world where rioters and peaceful protesters are separate. Nobody is denying that there were rioters at the RNC. Rioters should be arrested. However, peaceful protesters were caught in the crossfire and arrested. If you think that these people should be exiled because they disagree with you, then you are no true American.
So, the only thing that makes me wonder what country I'm in is that fact that depraved idiots like you are running around lose. People like you are lower than low, defending these tactics and smearing the law enforcement officers...And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.
Heil Crazy Taco and his ability to judge who is a true American and who is not.
Re:You, sir, are evil and twisted. (Score:5, Funny)
you are running around lose
Nooooo! Finally a time when the often misused loose would have been the correct usage. How could you break my heart by using the wrong word here?
Parent
Re: (Score:3)
I believe that's exactly his point. The USA is supposed to stand for the freedoms of all people, no matter how you feel about them.
Standing all high and mighty and believing that you somehow have more of a right to your opinion and behaviour than they do, and more importantly, dividing people into "people like me" and "people like you" is bigotry and shouldn't
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
While I agree that the government (mostly local governments) overreacted to the antics of some douchebags, the fact remains that the US is one of the most liberal - if not the most liberal - nations on the planet when it comes to freedom of speech. Restrictions on speech correlate very well with authoritarian rule.
Re: (Score:3, Insightful)
Yeah, in the US, you can pretty much say what you want, as long as you do it in a place where no one can hear you.
The reason that restrictions on speech correlate very well with authoritarian rule is because authoritarians don't want dissenters to be heard. It weakens their rule over the people, and threatens their power.
Free Speech Zones are public places where people are allowed to exercise their first amendment rights[1]--that is, the right to free speech. These zones tend to be away from the attendees
Re:None of the above (Score:4, Informative)
Protests are only one form of free speech, and it happens that they involve major disruption. It's like a parade or a festival... even when everyone is very peaceful, you have requirements for food, water, and human waste. Frankly, it's not particularly fair to crash someone else's parade after they've paid for everything and then complain about your rights being squashed. You want to have a parade? Go for it - but pay for all the mess you'll make.
And you know what? These WTO/RNC/etc protests are NOT non-violent, they are NOT low-impact, and they cause a major disruption - by DESIGN. You have a right to free speech. Have a parade, publish a newspaper, etc. You do NOT have a right to be a douche.
It tells me that your message isn't worth hearing, because you have resorted to abandoning any sort of civilized debate and just crying like a 2-year-old.
(Note I don't mean you in particular, just the style of writing that I used.)
Parent
Re: (Score:3, Insightful)
Excuse me, but the reason that most people resort to such intrusive methods is that the government neuters their otherwise peaceful message by plugging their ears through free-speech zones.
No, it isn't. Their message is fringe and not even close to being popular. They are ignored, and so make noise. The wide use of "free speech zones" came after the douchbaggery, not before - though I happen to agree that they are overkill. Just make the protesters file for a permit, pay for the extra police, get sufficient porta-potties installed, etc... no need for specific zones.
Remove all violent protests, and soon the peaceful ones will be dead, in jail, or brainwashed.
That's just absurd. Violent protests have no place in a civil society. That is the whole point of free speech and the justice sys
Re: (Score:3, Informative)
You only believe the protesters are fringe lunatics because of how they're portrayed on the news after the weirdness has erupted. Try finding a nice video of a blogger with a hidden camera at one of these protests from start to finish and you'll see what really goes on.
Nooooo... I live in NYC and have the pleasure to stroll through these protests every so often. Usually these people are what I would term professional or at least hobbyist protesters. They are largely from out of town. They tend to represent every insane cause you ever didn't want to know about. All the usuals are there, too. The free Tibet crowd, the "I don't eat this or that" crowd, the "free this wronged convict" crowd, anarchists, communists... maybe you don't consider these people fringe - but they ver
Re: (Score:3, Insightful)
Hell, I'd trust the greedy bastards at Verisign way before the UN.
But yeah, all those options kinda suck. ICANN is the lesser of the evils tough by a wide margin.
Re:None of the above (Score:5, Insightful)
And why should the UN be trusted with this? As another poster pointed out they are comprised of many nations that censor speech, expression, assembly and thought. On top of that they have been shown to be as (if not more) corrupt (Oil for Food in Iraq), Inept (Sierra Leone), and Impotent (Rwanda)...
Parent
Who to control... (Score:5, Insightful)
Verisign
Pros:
Cons:
US Government
Pros:
Cons:
ICANN
Pros:
Cons:
I'm definitely of the opinion that ICANN should be running it. That said, I don't know everything about the matter, so perhaps there's something that would change my mind. I figure, though, that if it's not broken, don't fix it.
Re:Who to control... (Score:5, Interesting)
Addendum:
UN
Pros:
Cons:
I'd be interested in hearing reasons why people believe this is a good thing as well though.
Parent
Re: (Score:3, Insightful)
It does not really have to be the UN, it can be a non-profit organisation (legally) under UN. This would mean, of course, that those running it would get a huge power ... but they could not (would not necessarily) be persuaded to change policy by any government or lobbyists.
That would get rid of the bureaucracy and tyranny of majority, but could lead to tyranny of minority.
How that would work out in practice would be interesting experiment, to say the least. Whether trying is worth the risk ... well, let's
It doesn't have to be just one player (Score:5, Interesting)
How about using a threshold signing scheme?
Here's the ten kilofoot view: each participant p_{1..n} gets a piece of the key. If least t of them (for some 2 <= t <= n) cooperate, they can produce a signature on the input message.
It is widely held that separation of power into legislative, executive and judiciary is a good thing. Here, the roles would be symmetric, but you still get the benefit of no one body of people (or single person) being in control.
Here's an interesting thought: include some of the root server operators in the decision. I haven't done the formal proof, but my understanding is that it'd be simple to create weighted threshold schemes, such that if ten of the $n roots all agree, that counts as one "vote" in the usgov-icann-verisign calculation [just apply some general secure Multiparty Computation protocol to the computation of RSA-signing with Shamir secret shares of the private key]. And, as your child poster says, you may want to include the UN. Not being a citizen of 192 sovereign nations, I don't like the idea of any one nation having a disproportionately large influence over critical infrastructure, should we come to rely on a signed root zone [note: we don't now, because it isn't; that may be useful to put this issue into its proper perspective, or not...].
But no matter who the eligible parties are, I don't think any one of them should be in exclusive control. Use a threshold signing scheme to distribute the power.
Parent
Re: (Score:3, Insightful)
The problem is that this scheme might work now, but it is not very future proof. How would you avoid the issue of Participant A borging participants B through T, thereby owning enough pieces of the key to do whatever they want, no matter what Participants U through Z have to say?
This might happen with private organizations (companies get bought) or with states (Russia takes over Georgia's piece of the key, just going on what's in the news).
I think ICANN is still the least bad choice. Somebody has to be the
Re: (Score:3, Insightful)
Why in the world would they give it to Verisign? I thought we were trying to move away from Verisign controlling anything other than .com (and I guess .net too)?
Verisign? (Score:4, Insightful)
I can't wait if they get it... Within a couple of years we will all have to start paying for DNS queries. Of course- they will offer to allow your query for free if they can insert ads into every site you go to.
Parent
Re:Who to control... (Score:4, Informative)
The problem is that that theoretical hosts file is already split among different entities; for example, Verisign controls the .com and .net registries, not ICANN. So, if you wanted to do that, you'd have to convince all of them to give up their control.
Parent
Re: (Score:2)
Biggest problem is the high frequency with which DNS can change (especially for individual networks)
Re: (Score:3, Informative)
I did, if you noticed. :^P
Re: (Score:3, Funny)
ICANN IS INTERNATIONAL.
Re:Who to control... (Score:4, Funny)
CAPS LOCK IS CRUISE CONTROL FOR COOL.
(even cruise control [and slashdot filters] you still have to steer)
Parent
Re:Who to control... (Score:4, Funny)
I know, let's give it to Canada!
Parent
Re: (Score:3, Funny)
Oh, no you don't. We don't want you blaming us AGAIN if something goes wrong.
Re: (Score:3, Insightful)
Latest I can find for UN payments is 2005 figures [unausa.org]; I wouldn't call the difference between $423M (USA) and $375M (Japan) all that huge a degree. And is the USA actually paying its dues now? In 2005 it owed almost a billion in unpaid dues.
I believe DNSSEC is unnecessory... (Score:5, Informative)
I believe DNSSEC is unnecessary to counter the Kaminski attack.
See draft-weaver-dnsext-comprehensive-resolver-00 [ietf.org] for how I believe you can secure resolvers against attacks less powerful than MitM, including Kaminski (race-until-win) attacks.
Re: (Score:3, Interesting)
I believe you missed what I said, or at least what I intended to say.
DNSSEC enables using DNS as the method of protection from MITM for other applications.
With DNSSEC you can distribute your SSH fingerprint in a signed DNS record. That would enable your application (SSH) to have a secure connection that can even withstand a MITM attack as long as you can verify the DNS signing keys, irregardless of whether or not you've ever connected to that server before.
The same sort of system can be used for email sign
Re: (Score:3, Interesting)
HTTP sucks too, but we use it because we all use it. Whatever we want to build gets a http implementation simply because everyone else uses it and understands it, and interoperability is king. In fact, a web service like http/SSL implementation is the only other real contender for a large scale PKI that has a snowball's chance in hell of being adopted. If DNSSEC fizzles out, I'll try that way.
DNSSEC is the best shot we have at world scale PKI because it's an incremental add-on to something we already have
I'd vote ICANN (Score:3, Insightful)
Re:I'd vote ICANN (Score:4, Insightful)
Parent
Give the keys to Jon Postel (Score:4, Insightful)
I can't think of anyone more qualified [ietf.org].
Yes, I know he's dead, but I still can't think of anyone more qualified.
Lame choice is no choice (Score:5, Insightful)
"On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root -- ICANN, Verisign, or the US government's NTIA."
ICANN: Organisation situated in the US, can be heavily influenced and controlled the US government
Verisign: Private company that is only interested in profit and is situated mostly in the US thereby it can be heavily influenced and controlled the US government
NTIA: US government
CHOOSE: US, US, or US
American election time!
Re: (Score:2, Funny)
Re: (Score:2, Funny)
I know i know, lets give it to some wallstreet bankers!
Re:Those who do not understand DNS (Score:5, Interesting)
"Are doomed to reimplement it, poorly. Does anyone have any confidence that the US Government WONT mess this up completely? Give the key to Google or AOL or IBM or something. "
Those who don't understand DNS would recommend giving it to IBM.
Hi. I run the root server that was the first runner up in the contest to administer it, ahead of two other groups. We were actually asked by the gov to advise icann which we did until we realized all they were doing is using us to get away with what they wanted to do, instead of listening to advice on horrific problems. Hint: the mandate specifies icann is a membership organization and 10 years later you still can join and have a vote. Ahem.
During this time and for 5 years before that I run the a root to one of the alternative root zones.
If you think dnssec will fix the problem or that it's the right answer or that it will actually secure it then you and Dan Kaminsky haven't thought about it enough.
But if you wanna go ahead with the broken dnssec model the keys should be held by Paul Vixie. This is all his mess anyway and he already holds the keys to usenet.
Parent
Re:Those who do not understand DNS (Score:5, Funny)
One key for Google flying oh so high,
One for Apple for without it fans would moan,
One for IBM what are based in Armonk, NY,
One for the Dark Lord on his dark throne
In the Land of Redmond where the Shadows lie.
One Key to rule them all, One Key to find them,
One Key to bring them all and in the darkness bind them
In the Land of Redmond where the Shadows lie.
Parent
Re: (Score:3, Insightful)
Except that DNSSEC is DNS. Period. It isn't compatible with DNS, it is DNS. It simply adds some additional records that aren't normally present that a DNS server or resolver can, if configured to, use to verify that the responses come from a valid server. It's not difficult to deploy, all current DNS servers already implement it so it's already deployed. What's difficult is the process of generating the signature chains, since the validity of the signatures at any level depends on the signature chain back t