Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security The Internet United States

Government Begins Securing Root Zone File 198

Death Metal notes a Wired piece on the US government beginning the process of securing the root zone file. This is in service of implementing DNSSEC, without which the DNS security hole found by Dan Kaminsky can't be definitively closed. On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root — ICANN, Verisign, or the US government's NTIA.
This discussion has been archived. No new comments can be posted.

Government Begins Securing Root Zone File

Comments Filter:
  • by assantisz ( 881107 ) on Friday October 10, 2008 @10:13AM (#25327313)
    I have my popcorn ready for the show.
    • by morcego ( 260031 )

      Here is another suggestion: IEEE

    • DNSSEC already has provisions to use a multi-signature key, where many organizations each sign it, and these parts are used to make one global key, so that no one person or organization is owner of the root zone file. It doesn't have to go like that.

      • It has to be one signature, however, for a practical reason: The top level domain zones change every hour. You're not going to get a dozen organizations to sign off on each of those changes every hour, in any practical or meaningful way.

      • by Intron ( 870560 )

        The dumbest statement in the article is: "The only known complete fix is DNSSEC".

        There is still the tradeoff between signed DNS information and who you trust to do the signing. I agree that they can get the root servers signed ok - its a small list and doesn't often change. What happens when they get to the millions of second level domains? Do they really think they can guarantee authentic signed DNS records for every .com domain out there? Good luck with that. They are going to have automated systems

  • None of the above (Score:5, Insightful)

    by jeffasselin ( 566598 ) <cormacolinde@gmai l . com> on Friday October 10, 2008 @10:14AM (#25327333) Journal

    Anyone really thinks any of those organizations should be trusted with this? How about some UN organization instead?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Because the UN sucks too? It isn't a symptom of who belongs to the organization, but the very fact that it is a large organization.

    • by Rob T Firefly ( 844560 ) on Friday October 10, 2008 @10:21AM (#25327419) Homepage Journal
      I vote we just give it to Cowboyneal.
    • by MightyYar ( 622222 ) on Friday October 10, 2008 @10:25AM (#25327471)

      The same UN that is comprised of countries that support censorship of political speech? No, thanks. Either give it to an organization of free democracies or hold onto it until such an organization exists.

      I'm not flaming, but seriously - look at the UN's track record where they do things like elect Libya to head the Commission on Human Rights. I can already see China chairing the internet commission.

      • Re: (Score:3, Insightful)

        by Jesus_666 ( 702802 )
        The question is who to give it to. The United States are just as ineligible, seeing as they don't care about separating government and big business or keeping the government's powers in check. And I'm not in favor of giving a nation control over an international resource simply because it was deployed there first. That'd be like ultimately deferring to France in all aviation matters because of the Montgolfier brothers.

        Really, who should get the root zone file? Nobody is eligible so we either give it to no
        • Re: (Score:3, Insightful)

          by MightyYar ( 622222 )

          The United States are just as ineligible, seeing as they don't care about separating government and big business or keeping the government's powers in check.

          I'm still going to rank political speech higher than commercial speech... that's where people really get oppressed. I agree that copyright is a form of censorship, and I would like to see it reformed drastically - but it's not the same as throwing people in jail because they are critical of the people in power.

          The UN seem like the safer choice because of more oversight.

          Two problems. One, the UN would only be effective if the number of countries opposing censorship was larger than the number that rather like it... unfortunately I think that the censors are in the maj

          • Re: (Score:3, Insightful)

            by Jesus_666 ( 702802 )

            I'm still going to rank political speech higher than commercial speech... that's where people really get oppressed. I agree that copyright is a form of censorship, and I would like to see it reformed drastically - but it's not the same as throwing people in jail because they are critical of the people in power.

            Yes, some of the UN member states are't too keen on free speech, but then again the United States government isn't, either. Granted, you're not quite on the same level as the worst ones but things li

            • things like the DHS, Gitmo, unwarranted searches, free speech zones etc.

              Of the issues you mentioned, only "free speech zones" has anything at all to do with free speech - and that is actually freedom to assemble, since the government does not sort them based on content of speech.

              The fact is that the US is more free than almost any other nation when it comes to speech. The only thing we restrict is what is covered by copyright - which sucks but is pretty much on-par with most other nations. DMCA would be our most egregious infringement of free speech IMHO.

              Anyhow, the fact that t

      • Re: (Score:3, Interesting)

        by foobsr ( 693224 )
        organization of free democracies

        Leading surveillance societies in the EU and the World 2007 [privacyinternational.org]

        Clearly in the lead: China, Russia, US ...

        • So if you aren't private you aren't free?

      • by Xest ( 935314 )

        You do realise the only 2 countries not in the UN are Vatican City and Taiwan?

        Are you suggesting that every other country in the world supports censorship of political speech?

        Wouldn't it be a better idea to actually get a clue about an organisation for slagging it off? The UN has wide and varied roles, some it's great at, others not so. How can you be so sure the internet would be in the not so category?

        • Even the worst member countries have a hard time being "for hunger" or "for disease", so the UN does a really good job helping hungry and diseased people. They suck at enforcing human rights and things like that, where the member countries don't want to get acted against themselves.

          Censorship, well, most of the UN members have more restrictions on freedom of speech than the US does. Why in the world would I, as a US citizen, entrust that organization to regulate the internet? I might entrust countries from

          • by Xest ( 935314 )

            You're still missing the point.

            The UN is an entity that consists of just about every single country in the world. Of course that means what your perceive as bad countries are going to be involved but you do realise that they have an equal right to see the US as a bad country?

            By having every single country have a say you end up with a view that is balanced upon world opinion, not just US opinion as it is now. US opinion most certainly does not represent the rest of the world and as such cannot be used as the

            • You're still missing the point.

              Perhaps, but I think we're talking past one another.

              I, personally, do not give a shit what the rest of the world's governments think about how the internet is run. In general, the governments of the world are corrupt and authoritarian. I like the internet open, free, and unfiltered/uncensored. Handing it over to the UN is not a likely way to retain those goals.

              If the democratic countries of the world want to get together and decide what to do with the internet, I'd be willing to consider that - because I'd

    • Re: (Score:3, Insightful)

      by Kamokazi ( 1080091 )

      Hell, I'd trust the greedy bastards at Verisign way before the UN.

      But yeah, all those options kinda suck. ICANN is the lesser of the evils tough by a wide margin.

    • by FireStormZ ( 1315639 ) on Friday October 10, 2008 @10:31AM (#25327539)

      And why should the UN be trusted with this? As another poster pointed out they are comprised of many nations that censor speech, expression, assembly and thought. On top of that they have been shown to be as (if not more) corrupt (Oil for Food in Iraq), Inept (Sierra Leone), and Impotent (Rwanda)...

      • by Xest ( 935314 )

        Yet someone else who doesn't seem to understand what the UN actually is. I can only imagine you're making the mistake of confusing the UN security council with the UN as a whole.

        The UN as an organisation consists of all but two countries in the world so yes, of course they're comprised of many nations that censor speech. They also consist of many nations that don't. The whole point in the UN is that it's an organisation that exists to oversee international systems, politics and disputes in such a way that a

    • by k1e0x ( 1040314 )

      The UN? Are you out of your mind? That is the most corrupt incompetent bunch of unelected bureaucrats that have ever existed.

      What you want to do.. is you want to make sure the person who holds the key, does not have the power of force behind them.. that means you have to keep it out of the hands of government. ICANN is probably the best choice..

  • Who to control... (Score:5, Insightful)

    by TheSpoom ( 715771 ) * <slashdot AT uberm00 DOT net> on Friday October 10, 2008 @10:20AM (#25327395) Homepage Journal



    • Quite a bit of money, stability likely wouldn't be a problem


    • Puts a private company in control of a very, very important part of the internet
    • Has previously fucked with DNS, would likely do so again if considered a wise business decision

    US Government


    • Wouldn't dare let it go down since business in their country is very dependent upon it
    • Puts elected officials in charge of a very important part of the internet


    • Nationalizes an important part of an international network
    • Puts elected officials in charge of a very important part of the internet



    • Has been doing this a long time
    • Is a non-profit company so isn't driven by the same business needs as, say, Verisign


    • Still somewhat national

    I'm definitely of the opinion that ICANN should be running it. That said, I don't know everything about the matter, so perhaps there's something that would change my mind. I figure, though, that if it's not broken, don't fix it.

    • Re:Who to control... (Score:5, Interesting)

      by TheSpoom ( 715771 ) * <slashdot AT uberm00 DOT net> on Friday October 10, 2008 @10:34AM (#25327567) Homepage Journal




      • As international as it gets
      • Ideally not controlled by any individual country


      • Possibly more bureaucracy than any individual government in existence, would anything ever get done?
      • Could lead to a tyranny of the majority, what if a block of countries wanted censorship?

      I'd be interested in hearing reasons why people believe this is a good thing as well though.

      • by houghi ( 78078 )

        I think you summed it up pretty good. The thing is that the cons can be any country andf perhaps not just the countries you would think at first.

      • Re: (Score:3, Insightful)

        by jhol13 ( 1087781 )

        It does not really have to be the UN, it can be a non-profit organisation (legally) under UN. This would mean, of course, that those running it would get a huge power ... but they could not (would not necessarily) be persuaded to change policy by any government or lobbyists.

        That would get rid of the bureaucracy and tyranny of majority, but could lead to tyranny of minority.

        How that would work out in practice would be interesting experiment, to say the least. Whether trying is worth the risk ... well, let's

        • See, I thought about that too, but then I thought... well, that's basically ICANN.

          • by jhol13 ( 1087781 )

            ICANN is 100% ruled by USA laws and lawyers. In every case ruling who should own "foo.com" it _will_ rule for the USA company. Not good.

      • How about ISO?


      • by jc42 ( 318812 )

        UN ... # Could lead to a tyranny of the majority, what if a block of countries wanted censorship?

        The rest of the Internet would just route around it.

    • by houghi ( 78078 )

      US Government
      Puts elected officials in charge of a very important part of the internet

      I would put that on the con side. I rather have a person who knows what he is doing in charge and not so much somebody who is popular and knows how to play the electoral game.
      Also they are elected by a minority of the users.

    • by jonaskoelker ( 922170 ) <jonaskoelker&yahoo,com> on Friday October 10, 2008 @10:46AM (#25327683)

      How about using a threshold signing scheme?

      Here's the ten kilofoot view: each participant p_{1..n} gets a piece of the key. If least t of them (for some 2 <= t <= n) cooperate, they can produce a signature on the input message.

      It is widely held that separation of power into legislative, executive and judiciary is a good thing. Here, the roles would be symmetric, but you still get the benefit of no one body of people (or single person) being in control.

      Here's an interesting thought: include some of the root server operators in the decision. I haven't done the formal proof, but my understanding is that it'd be simple to create weighted threshold schemes, such that if ten of the $n roots all agree, that counts as one "vote" in the usgov-icann-verisign calculation [just apply some general secure Multiparty Computation protocol to the computation of RSA-signing with Shamir secret shares of the private key]. And, as your child poster says, you may want to include the UN. Not being a citizen of 192 sovereign nations, I don't like the idea of any one nation having a disproportionately large influence over critical infrastructure, should we come to rely on a signed root zone [note: we don't now, because it isn't; that may be useful to put this issue into its proper perspective, or not...].

      But no matter who the eligible parties are, I don't think any one of them should be in exclusive control. Use a threshold signing scheme to distribute the power.

      • The problem with this statement "I don't think any one of them should be in exclusive control" is that this network was initially created for the sole purpose of protecting the swift transfer of data should a nuclear attack hit the US of A. It's gotten beyond that in a major way, but it started in the US, so I can understand why the US would want the keys.

        Though at this point, I don't think any solution that gives any one person the literal key to the internet is a good one, so, on that point, I agree - f
        • In reality, it wouldn't affect too much of the normal use of the internet. Basically, whoever has control of this has control of creation and modification of top-level domains, like .com, .net, and .org, to a certain degree, in that they could enable or disable them, but not modify them directly (unless they disabled them and created their own modified version).

          In theory, they could bring down the internet with such access though, so it is something worth serious consideration.

        • How would this impact simple host creation and DNS transfers though?

          If the root is handled well, not at all. All that happens at the root zone is the creation and deletion of TLDs. Anything sub-TLD is handled by the entity(ies) responsible for their respective TLDs (such as Verisign, DK-Hostmaster or what have you).

          If Verisign is the steward of both the root (in whole or in part) and the .com zone, they may be able to play tricks on us, but I'm not sure what those tricks are. Also, bear in mind that what we're (most likely) talking about isn't that you won't get a name,

      • Re: (Score:3, Insightful)

        by wiz_80 ( 15261 )

        The problem is that this scheme might work now, but it is not very future proof. How would you avoid the issue of Participant A borging participants B through T, thereby owning enough pieces of the key to do whatever they want, no matter what Participants U through Z have to say?

        This might happen with private organizations (companies get bought) or with states (Russia takes over Georgia's piece of the key, just going on what's in the news).

        I think ICANN is still the least bad choice. Somebody has to be the

        • General Multiparty Computation protocols can be secured against strictly less than one third of the players being corrupted; corrupted here means that it deviates from the protocol, for instance by telling its secret to some other player because it in practice is under the control of the other player.

          The simple version of how to handle it is that whenever someone deviates from the protocol, the honest parties reassemble the secret key and compute a new secret sharing; that is, everyone gets a fresh chunk of

    • Re: (Score:3, Insightful)

      by mgoren ( 73073 )

      Why in the world would they give it to Verisign? I thought we were trying to move away from Verisign controlling anything other than .com (and I guess .net too)?

    • Verisign? (Score:4, Insightful)

      by neowolf ( 173735 ) on Friday October 10, 2008 @11:47AM (#25328437)

      I can't wait if they get it... Within a couple of years we will all have to start paying for DNS queries. Of course- they will offer to allow your query for free if they can insert ads into every site you go to.

  • by nweaver ( 113078 ) on Friday October 10, 2008 @10:30AM (#25327535) Homepage

    I believe DNSSEC is unnecessary to counter the Kaminski attack.

    See draft-weaver-dnsext-comprehensive-resolver-00 [ietf.org] for how I believe you can secure resolvers against attacks less powerful than MitM, including Kaminski (race-until-win) attacks.

    • by spinkham ( 56603 )

      I have not fully digested your draft, but I believe you are right. There are many proposed solutions that shore up DNS somewhat, as long as our random number generators are strong. That has traditionally proved difficult, and the random number generators have been the primary attack point time and time again. I also think that creating the solution by only looking at recent DNS attacks is short sighted. DNS has the possibility of becoming so much more then it currently is, if we can trust it.

      We have leve

      • by nweaver ( 113078 )

        Unfortunatly, I disagree. The problem is DNSSEC is about securing DNS from in-path (MitM) adversaries. But in almost all cases, a DNS MitM can also be a MitM on the application.

        If the application resists a MitM, it never trusted DNS anyway.

        If the application doesn't resist a MitM, that the DNS resists a MitM is irrelevant.

        Thus the net marginal increase in system security that DNSSEC offers is suprisingly low in my opinion, and our objective should be securing out-of-path resolvers against all adversaries

        • Re: (Score:3, Interesting)

          by spinkham ( 56603 )

          I believe you missed what I said, or at least what I intended to say.

          DNSSEC enables using DNS as the method of protection from MITM for other applications.

          With DNSSEC you can distribute your SSH fingerprint in a signed DNS record. That would enable your application (SSH) to have a secure connection that can even withstand a MITM attack as long as you can verify the DNS signing keys, irregardless of whether or not you've ever connected to that server before.

          The same sort of system can be used for email sign

          • by nweaver ( 113078 )

            Then all DNSSEC is is Yet Another CA Infrastructure.

            And if you want an integrity-assured object store, why use DNSSEC? INstead, build an alternate application protocol that doesn't have silly record limits and the like in it.

            • Re: (Score:3, Interesting)

              by spinkham ( 56603 )

              HTTP sucks too, but we use it because we all use it. Whatever we want to build gets a http implementation simply because everyone else uses it and understands it, and interoperability is king. In fact, a web service like http/SSL implementation is the only other real contender for a large scale PKI that has a snowball's chance in hell of being adopted. If DNSSEC fizzles out, I'll try that way.

              DNSSEC is the best shot we have at world scale PKI because it's an incremental add-on to something we already have

  • I'd vote ICANN (Score:3, Insightful)

    by K3ba ( 1012075 ) on Friday October 10, 2008 @10:33AM (#25327561)
    But in the end, who really cares who signs it now - what can be signed once, must be able to be signed again (especially if there is a validity period of the signature), and if the signatory needs to change in the future then it can be changed then. Delaying the signing process is counter-productive, as procrastination in this regard only helps the hackers and not the greater unwashed masses who don't know they need this process to be completed in the first place... Maybe they should ask for comments _after_ they have told us the first signatories name. They will get comments then regardless of who they choose ;)
    • Re:I'd vote ICANN (Score:4, Insightful)

      by afidel ( 530433 ) on Friday October 10, 2008 @11:24AM (#25328185)
      How about the operators of each Root server signs their own copy of the root? That way if one entity implements policies that you don't agree with you simply remove them from your hints file. There's a reason there's multiple root servers and putting the signing authority in the hands of one entity inherently makes the system less diverse and fault tolerant.
  • this isn't like the web where it helps (but is still far from ideal) to have a few central authorities who sign certificates for many entities? This sounds like it would be more of a central thing. Why not just self-sign and publish the key fingerprints in papers, journals and whatever?

  • "This is in service of implementing DNSSEC"

    I in service to knowing what you say.

  • by davidwr ( 791652 ) on Friday October 10, 2008 @11:30AM (#25328241) Homepage Journal

    I can't think of anyone more qualified [ietf.org].

    Yes, I know he's dead, but I still can't think of anyone more qualified.

    • by Tacvek ( 948259 )

      Holding the root zone key is by definition part of the function of the IANA (one of Jon Postel's many jobs back in the day.) The IANA is the organization that manages the root zone. It has always been that way.

      Since ICANN (or rather one internal division of ICANN) is currently the IANA, they would control the keys.

      If a new IANA is appointed (and approved by the Internet Architeture board (who must approve any IANA appointment, since the maintains the registry of Names and Numbers assigned in the RFCs on beh

  • by Daimanta ( 1140543 ) on Friday October 10, 2008 @11:35AM (#25328307) Journal

    "On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root -- ICANN, Verisign, or the US government's NTIA."

    ICANN: Organisation situated in the US, can be heavily influenced and controlled the US government
    Verisign: Private company that is only interested in profit and is situated mostly in the US thereby it can be heavily influenced and controlled the US government
    NTIA: US government

    CHOOSE: US, US, or US

    American election time!

  • Give it to the EU, then just hope you never need anything changed.

    It's only the DNS root, nothing critical to the internet working like IP address allocation or proper routing.

  • DNSSEC is a protocol similar to, but not compatible with DNS. It is difficult to deploy and requires much more powerful hardware than current DNS servers otherwise require. DNSSEC offers no security guarantee unless DNS is completely replaced with DNSSEC.

    dnscurve [dnscurve.org], on the other hand, is fully backwards compatible with DNS, would be dead-simple to deploy, requires a fraction of the computing power than DNSSEC requires, and it can be deployed incrementally.

    • Re: (Score:3, Insightful)

      by Todd Knarr ( 15451 )

      Except that DNSSEC is DNS. Period. It isn't compatible with DNS, it is DNS. It simply adds some additional records that aren't normally present that a DNS server or resolver can, if configured to, use to verify that the responses come from a valid server. It's not difficult to deploy, all current DNS servers already implement it so it's already deployed. What's difficult is the process of generating the signature chains, since the validity of the signatures at any level depends on the signature chain back t

  • Verisign preforms intercepts for the NSA. (how exactly they do with with pub/private key is unknown to me.. perhaps they have a copy of the private key).

    http://wikileaks.org/wiki/Cox_Communications_Interception_Request_Worksheet_2008 [wikileaks.org]

    I think it is absolutely a danger to freedom on the internet to have any Government in control of DNS.

In 1869 the waffle iron was invented for people who had wrinkled waffles.