Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

[ Create a new account ]

Government Begins Securing Root Zone File

Posted by kdawson on Friday October 10, @10:12AM
from the not-before-time dept.
Security The Internet United States
Death Metal notes a Wired piece on the US government beginning the process of securing the root zone file. This is in service of implementing DNSSEC, without which the DNS security hole found by Dan Kaminsky can't be definitively closed. On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root — ICANN, Verisign, or the US government's NTIA.
security internet usa abouttime finally
it security
story

Related Stories

[+] Massive, Coordinated Patch To the DNS Released 315 comments
tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible."
Firehose:Government begins securing "root zone file" by hessian (467078)
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Government Begins Securing Root Zone File 25 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.

  • That's going to be interesting. (Score:4, Funny)

    by assantisz (881107) on Friday October 10, @10:13AM (#25327313)
    I have my popcorn ready for the show.

  • None of the above (Score:5, Insightful)

    by jeffasselin (566598) <cormacolinde@@@gmail...com> on Friday October 10, @10:14AM (#25327333) Journal

    Anyone really thinks any of those organizations should be trusted with this? How about some UN organization instead?

    • Ah, screw it. (Score:5, Funny)

      by Rob T Firefly (844560) on Friday October 10, @10:21AM (#25327419) Homepage Journal
      I vote we just give it to Cowboyneal.

    • Re:None of the above (Score:5, Insightful)

      by MightyYar (622222) on Friday October 10, @10:25AM (#25327471)

      The same UN that is comprised of countries that support censorship of political speech? No, thanks. Either give it to an organization of free democracies or hold onto it until such an organization exists.

      I'm not flaming, but seriously - look at the UN's track record where they do things like elect Libya to head the Commission on Human Rights. I can already see China chairing the internet commission.

        • You, sir, are evil and twisted. (Score:5, Informative)

          by Crazy Taco (1083423) on Friday October 10, @12:34PM (#25329019)

          Countries like the USA, you mean? Seriously, did you ever try to protest at an RNC, for instance? I did, and I can tell you that it sure makes you wonder exactly which nation you're in, anyway.

          Right, and those of us from Minnesota know ALL ABOUT your protests at the RNC. Let's see, at this year's RNC in Minneapolis we had mass rioting, bricks thrown through windows of business and destruction of property, an attempted bus-jacking, fires, attacking of delegates from multiple states, throwing feces and urine on delegates, attacking police officers and a vast number of other crimes.

          In the pre-RNC raid by the Ramsey County Sherriff's department of the "RNC Welcoming Committee" apartments, police found molotov cocktails, nail bombs, gasoline tanks and other explosives, buckets of urine and all variety of other ordnance. Despite these raids, numerous people were still injured by these people during the riots. Even the liberal mayor of St. Paul applauded the actions of law enforcement and the excellent job they did it keeping the carnage from getting worse.

          So, the only thing that makes me wonder what country I'm in is that fact that depraved idiots like you are running around lose. People like you are lower than low, defending these tactics and smearing the law enforcement officers. These were not "peace protesters". These were terrorists and anarchists by anyone's definition, and no quarter should be given to them. And frankly, no quarter will be given to you either. You, luckily for you, are given the right of free speech by the rest of us true American citizens, but I will not stand by and let you spew your garbage and hate without reminding others what really happened in Minneapolis at the RNC. People like you are truly evil and immensely twisted and warped if you can defend any of the violent activities the went on during the "protests" (read: riots). And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.

            • Re:None of the above (Score:4, Informative)

              by MightyYar (622222) on Friday October 10, @01:37PM (#25329909)

              Protests are only one form of free speech, and it happens that they involve major disruption. It's like a parade or a festival... even when everyone is very peaceful, you have requirements for food, water, and human waste. Frankly, it's not particularly fair to crash someone else's parade after they've paid for everything and then complain about your rights being squashed. You want to have a parade? Go for it - but pay for all the mess you'll make.

              And you know what? These WTO/RNC/etc protests are NOT non-violent, they are NOT low-impact, and they cause a major disruption - by DESIGN. You have a right to free speech. Have a parade, publish a newspaper, etc. You do NOT have a right to be a douche.

              It tells me that your message isn't worth hearing, because you have resorted to abandoning any sort of civilized debate and just crying like a 2-year-old.

              (Note I don't mean you in particular, just the style of writing that I used.)

    • Re: (Score:3, Insightful)

      by Kamokazi (1080091)

      Hell, I'd trust the greedy bastards at Verisign way before the UN.

      But yeah, all those options kinda suck. ICANN is the lesser of the evils tough by a wide margin.

    • Re:None of the above (Score:5, Insightful)

      by FireStormZ (1315639) on Friday October 10, @10:31AM (#25327539)

      And why should the UN be trusted with this? As another poster pointed out they are comprised of many nations that censor speech, expression, assembly and thought. On top of that they have been shown to be as (if not more) corrupt (Oil for Food in Iraq), Inept (Sierra Leone), and Impotent (Rwanda)...

  • Who to control... (Score:5, Insightful)

    by TheSpoom (715771) * on Friday October 10, @10:20AM (#25327395) Homepage Journal

    Verisign

    Pros:

    • Quite a bit of money, stability likely wouldn't be a problem

    Cons:

    • Puts a private company in control of a very, very important part of the internet
    • Has previously fucked with DNS, would likely do so again if considered a wise business decision

    US Government

    Pros:

    • Wouldn't dare let it go down since business in their country is very dependent upon it
    • Puts elected officials in charge of a very important part of the internet

    Cons:

    • Nationalizes an important part of an international network
    • Puts elected officials in charge of a very important part of the internet

    ICANN

    Pros:

    • Has been doing this a long time
    • Is a non-profit company so isn't driven by the same business needs as, say, Verisign

    Cons:

    • Still somewhat national

    I'm definitely of the opinion that ICANN should be running it. That said, I don't know everything about the matter, so perhaps there's something that would change my mind. I figure, though, that if it's not broken, don't fix it.

    • Re:Who to control... (Score:5, Interesting)

      by TheSpoom (715771) * on Friday October 10, @10:34AM (#25327567) Homepage Journal

      Addendum:

      UN

      Pros:

      • As international as it gets
      • Ideally not controlled by any individual country

      Cons:

      • Possibly more bureaucracy than any individual government in existence, would anything ever get done?
      • Could lead to a tyranny of the majority, what if a block of countries wanted censorship?

      I'd be interested in hearing reasons why people believe this is a good thing as well though.

    • How about using a threshold signing scheme?

      Here's the ten kilofoot view: each participant p_{1..n} gets a piece of the key. If least t of them (for some 2 <= t <= n) cooperate, they can produce a signature on the input message.

      It is widely held that separation of power into legislative, executive and judiciary is a good thing. Here, the roles would be symmetric, but you still get the benefit of no one body of people (or single person) being in control.

      Here's an interesting thought: include some of the root server operators in the decision. I haven't done the formal proof, but my understanding is that it'd be simple to create weighted threshold schemes, such that if ten of the $n roots all agree, that counts as one "vote" in the usgov-icann-verisign calculation [just apply some general secure Multiparty Computation protocol to the computation of RSA-signing with Shamir secret shares of the private key]. And, as your child poster says, you may want to include the UN. Not being a citizen of 192 sovereign nations, I don't like the idea of any one nation having a disproportionately large influence over critical infrastructure, should we come to rely on a signed root zone [note: we don't now, because it isn't; that may be useful to put this issue into its proper perspective, or not...].

      But no matter who the eligible parties are, I don't think any one of them should be in exclusive control. Use a threshold signing scheme to distribute the power.

    • Verisign? (Score:4, Insightful)

      by neowolf (173735) on Friday October 10, @11:47AM (#25328437)

      I can't wait if they get it... Within a couple of years we will all have to start paying for DNS queries. Of course- they will offer to allow your query for free if they can insert ads into every site you go to.

  • I believe DNSSEC is unnecessory... (Score:5, Informative)

    by nweaver (113078) on Friday October 10, @10:30AM (#25327535) Homepage

    I believe DNSSEC is unnecessary to counter the Kaminski attack.

    See draft-weaver-dnsext-comprehensive-resolver-00 [ietf.org] for how I believe you can secure resolvers against attacks less powerful than MitM, including Kaminski (race-until-win) attacks.

  • I'd vote ICANN (Score:3, Insightful)

    by K3ba (1012075) on Friday October 10, @10:33AM (#25327561)
    But in the end, who really cares who signs it now - what can be signed once, must be able to be signed again (especially if there is a validity period of the signature), and if the signatory needs to change in the future then it can be changed then. Delaying the signing process is counter-productive, as procrastination in this regard only helps the hackers and not the greater unwashed masses who don't know they need this process to be completed in the first place... Maybe they should ask for comments _after_ they have told us the first signatories name. They will get comments then regardless of who they choose ;)

    • Re:I'd vote ICANN (Score:4, Insightful)

      by afidel (530433) on Friday October 10, @11:24AM (#25328185)
      How about the operators of each Root server signs their own copy of the root? That way if one entity implements policies that you don't agree with you simply remove them from your hints file. There's a reason there's multiple root servers and putting the signing authority in the hands of one entity inherently makes the system less diverse and fault tolerant.

  • Give the keys to Jon Postel (Score:4, Insightful)

    by davidwr (791652) on Friday October 10, @11:30AM (#25328241) Homepage Journal

    I can't think of anyone more qualified [ietf.org].

    Yes, I know he's dead, but I still can't think of anyone more qualified.

  • Lame choice is no choice (Score:5, Insightful)

    by Daimanta (1140543) on Friday October 10, @11:35AM (#25328307) Journal

    "On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root -- ICANN, Verisign, or the US government's NTIA."

    ICANN: Organisation situated in the US, can be heavily influenced and controlled the US government
    Verisign: Private company that is only interested in profit and is situated mostly in the US thereby it can be heavily influenced and controlled the US government
    NTIA: US government

    CHOOSE: US, US, or US

    American election time!

    • "Are doomed to reimplement it, poorly. Does anyone have any confidence that the US Government WONT mess this up completely? Give the key to Google or AOL or IBM or something. "

      Those who don't understand DNS would recommend giving it to IBM.

      Hi. I run the root server that was the first runner up in the contest to administer it, ahead of two other groups. We were actually asked by the gov to advise icann which we did until we realized all they were doing is using us to get away with what they wanted to do, instead of listening to advice on horrific problems. Hint: the mandate specifies icann is a membership organization and 10 years later you still can join and have a vote. Ahem.

      During this time and for 5 years before that I run the a root to one of the alternative root zones.

      If you think dnssec will fix the problem or that it's the right answer or that it will actually secure it then you and Dan Kaminsky haven't thought about it enough.

      But if you wanna go ahead with the broken dnssec model the keys should be held by Paul Vixie. This is all his mess anyway and he already holds the keys to usenet.

    • Re:Those who do not understand DNS (Score:5, Funny)

      by PinkyDead (862370) on Friday October 10, @11:05AM (#25327915) Journal

      One key for Google flying oh so high,
      One for Apple for without it fans would moan,
      One for IBM what are based in Armonk, NY,
      One for the Dark Lord on his dark throne
      In the Land of Redmond where the Shadows lie.
      One Key to rule them all, One Key to find them,
      One Key to bring them all and in the darkness bind them
      In the Land of Redmond where the Shadows lie.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.