Government Begins Securing Root Zone File 198
Death Metal notes a Wired piece on the US government beginning the process of securing the root zone file. This is in service of implementing DNSSEC, without which the DNS security hole found by Dan Kaminsky can't be definitively closed. On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root — ICANN, Verisign, or the US government's NTIA.
That's going to be interesting. (Score:4, Funny)
Re: (Score:2)
Here is another suggestion: IEEE
It doesn't HAVE to be one signature (Score:3, Informative)
DNSSEC already has provisions to use a multi-signature key, where many organizations each sign it, and these parts are used to make one global key, so that no one person or organization is owner of the root zone file. It doesn't have to go like that.
Re: (Score:2)
It has to be one signature, however, for a practical reason: The top level domain zones change every hour. You're not going to get a dozen organizations to sign off on each of those changes every hour, in any practical or meaningful way.
Re: (Score:2)
The dumbest statement in the article is: "The only known complete fix is DNSSEC".
There is still the tradeoff between signed DNS information and who you trust to do the signing. I agree that they can get the root servers signed ok - its a small list and doesn't often change. What happens when they get to the millions of second level domains? Do they really think they can guarantee authentic signed DNS records for every .com domain out there? Good luck with that. They are going to have automated systems
None of the above (Score:5, Insightful)
Anyone really thinks any of those organizations should be trusted with this? How about some UN organization instead?
Re: (Score:2, Insightful)
Because the UN sucks too? It isn't a symptom of who belongs to the organization, but the very fact that it is a large organization.
Ah, screw it. (Score:5, Funny)
Re:None of the above (Score:5, Insightful)
The same UN that is comprised of countries that support censorship of political speech? No, thanks. Either give it to an organization of free democracies or hold onto it until such an organization exists.
I'm not flaming, but seriously - look at the UN's track record where they do things like elect Libya to head the Commission on Human Rights. I can already see China chairing the internet commission.
Re: (Score:3, Insightful)
Really, who should get the root zone file? Nobody is eligible so we either give it to no
Re: (Score:3, Insightful)
The United States are just as ineligible, seeing as they don't care about separating government and big business or keeping the government's powers in check.
I'm still going to rank political speech higher than commercial speech... that's where people really get oppressed. I agree that copyright is a form of censorship, and I would like to see it reformed drastically - but it's not the same as throwing people in jail because they are critical of the people in power.
The UN seem like the safer choice because of more oversight.
Two problems. One, the UN would only be effective if the number of countries opposing censorship was larger than the number that rather like it... unfortunately I think that the censors are in the maj
Re: (Score:3, Insightful)
Yes, some of the UN member states are't too keen on free speech, but then again the United States government isn't, either. Granted, you're not quite on the same level as the worst ones but things li
Re: (Score:2)
things like the DHS, Gitmo, unwarranted searches, free speech zones etc.
Of the issues you mentioned, only "free speech zones" has anything at all to do with free speech - and that is actually freedom to assemble, since the government does not sort them based on content of speech.
The fact is that the US is more free than almost any other nation when it comes to speech. The only thing we restrict is what is covered by copyright - which sucks but is pretty much on-par with most other nations. DMCA would be our most egregious infringement of free speech IMHO.
Anyhow, the fact that t
Re: (Score:3, Interesting)
Leading surveillance societies in the EU and the World 2007 [privacyinternational.org]
Clearly in the lead: China, Russia, US
CC.
Re: (Score:2)
So if you aren't private you aren't free?
Re: (Score:2)
I won't argue that the secret ballot is necessary - but that doesn't mean that EVERYTHING else need to be secret as well... that's one extenuating circumstance.
Re: (Score:2)
You do realise the only 2 countries not in the UN are Vatican City and Taiwan?
Are you suggesting that every other country in the world supports censorship of political speech?
Wouldn't it be a better idea to actually get a clue about an organisation for slagging it off? The UN has wide and varied roles, some it's great at, others not so. How can you be so sure the internet would be in the not so category?
Re: (Score:2)
Even the worst member countries have a hard time being "for hunger" or "for disease", so the UN does a really good job helping hungry and diseased people. They suck at enforcing human rights and things like that, where the member countries don't want to get acted against themselves.
Censorship, well, most of the UN members have more restrictions on freedom of speech than the US does. Why in the world would I, as a US citizen, entrust that organization to regulate the internet? I might entrust countries from
Re: (Score:2)
You're still missing the point.
The UN is an entity that consists of just about every single country in the world. Of course that means what your perceive as bad countries are going to be involved but you do realise that they have an equal right to see the US as a bad country?
By having every single country have a say you end up with a view that is balanced upon world opinion, not just US opinion as it is now. US opinion most certainly does not represent the rest of the world and as such cannot be used as the
Re: (Score:2)
You're still missing the point.
Perhaps, but I think we're talking past one another.
I, personally, do not give a shit what the rest of the world's governments think about how the internet is run. In general, the governments of the world are corrupt and authoritarian. I like the internet open, free, and unfiltered/uncensored. Handing it over to the UN is not a likely way to retain those goals.
If the democratic countries of the world want to get together and decide what to do with the internet, I'd be willing to consider that - because I'd
You, sir, are evil and twisted. (Score:5, Informative)
Right, and those of us from Minnesota know ALL ABOUT your protests at the RNC. Let's see, at this year's RNC in Minneapolis we had mass rioting, bricks thrown through windows of business and destruction of property, an attempted bus-jacking, fires, attacking of delegates from multiple states, throwing feces and urine on delegates, attacking police officers and a vast number of other crimes.
In the pre-RNC raid by the Ramsey County Sherriff's department of the "RNC Welcoming Committee" apartments, police found molotov cocktails, nail bombs, gasoline tanks and other explosives, buckets of urine and all variety of other ordnance. Despite these raids, numerous people were still injured by these people during the riots. Even the liberal mayor of St. Paul applauded the actions of law enforcement and the excellent job they did it keeping the carnage from getting worse.
So, the only thing that makes me wonder what country I'm in is that fact that depraved idiots like you are running around lose. People like you are lower than low, defending these tactics and smearing the law enforcement officers. These were not "peace protesters". These were terrorists and anarchists by anyone's definition, and no quarter should be given to them. And frankly, no quarter will be given to you either. You, luckily for you, are given the right of free speech by the rest of us true American citizens, but I will not stand by and let you spew your garbage and hate without reminding others what really happened in Minneapolis at the RNC. People like you are truly evil and immensely twisted and warped if you can defend any of the violent activities the went on during the "protests" (read: riots). And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.
Re: (Score:3)
Re: (Score:2)
So arrest those people. Don't arrest the ones who are peacefully protesting.
Re: (Score:2)
For the most part that's what happened, there were about 700 arrest do you really think there were only 700 protesters? there were thousands upon thousands of protesters (probably upwards of 10K).
Several people were arrested for an 'illegal march' meaning they were blocking traffic because they decided to march in a place for which no permit was issued and they would not disburse.
Re: (Score:2)
I third this (Eagan) and I completely avoided St. Paul when they started throwing crap onto buses and cars from overpasses. My Cousin went in on the last day and peacefully protested there was no trouble for people who were organized in peaceful exercise of their first amendment rights, it was the morons attacking cops and delegates that got arrested.
Re: (Score:2)
People like you are truly evil and immensely twisted and warped if you can defend any of the violent activities the went on during the "protests" (read: riots). And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.
Not moderating myself here, because I feel that something needs to be said about this. How does this shit get modded Informative? The world is a complicated place, you know. It is entirely possible that both violent protesters and overzealous police exist. Both you and the OP make vast oversimplifications.
Are you not aware that protest is a protected form of speech that is essential to democracy?
Mods: shame on you.
Re: (Score:3, Insightful)
Re: (Score:3)
Imagine a world where rioters and peaceful protesters are separate. Nobody is denying that there were rioters at the RNC. Rioters should be arrested. However, peaceful protesters were caught in the crossfire and arrested. If you think that these people should be exiled because they disagree with you, then you are no true American.
So, the only thing that makes me wonder what country I'm in is that fact that depraved idiots like you are running around lose. People like you are lower than low, defending these tactics and smearing the law enforcement officers...And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.
Heil Crazy Taco and his ability to judge who is a true American and who is not.
Re:You, sir, are evil and twisted. (Score:5, Funny)
you are running around lose
Nooooo! Finally a time when the often misused loose would have been the correct usage. How could you break my heart by using the wrong word here?
Re: (Score:3)
I believe that's exactly his point. The USA is supposed to stand for the freedoms of all people, no matter how you feel about them.
Standing all high and mighty and believing that you somehow have more of a right to your opinion and behaviour than they do, and more importantly, dividing people into "people like me" and "people like you" is bigotry and shouldn't
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
While I agree that the government (mostly local governments) overreacted to the antics of some douchebags, the fact remains that the US is one of the most liberal - if not the most liberal - nations on the planet when it comes to freedom of speech. Restrictions on speech correlate very well with authoritarian rule.
Re: (Score:3, Insightful)
Yeah, in the US, you can pretty much say what you want, as long as you do it in a place where no one can hear you.
The reason that restrictions on speech correlate very well with authoritarian rule is because authoritarians don't want dissenters to be heard. It weakens their rule over the people, and threatens their power.
Free Speech Zones are public places where people are allowed to exercise their first amendment rights[1]--that is, the right to free speech. These zones tend to be away from the attendees
Re:None of the above (Score:4, Informative)
Protests are only one form of free speech, and it happens that they involve major disruption. It's like a parade or a festival... even when everyone is very peaceful, you have requirements for food, water, and human waste. Frankly, it's not particularly fair to crash someone else's parade after they've paid for everything and then complain about your rights being squashed. You want to have a parade? Go for it - but pay for all the mess you'll make.
And you know what? These WTO/RNC/etc protests are NOT non-violent, they are NOT low-impact, and they cause a major disruption - by DESIGN. You have a right to free speech. Have a parade, publish a newspaper, etc. You do NOT have a right to be a douche.
It tells me that your message isn't worth hearing, because you have resorted to abandoning any sort of civilized debate and just crying like a 2-year-old.
(Note I don't mean you in particular, just the style of writing that I used.)
Re: (Score:3, Insightful)
Excuse me, but the reason that most people resort to such intrusive methods is that the government neuters their otherwise peaceful message by plugging their ears through free-speech zones.
No, it isn't. Their message is fringe and not even close to being popular. They are ignored, and so make noise. The wide use of "free speech zones" came after the douchbaggery, not before - though I happen to agree that they are overkill. Just make the protesters file for a permit, pay for the extra police, get sufficient porta-potties installed, etc... no need for specific zones.
Remove all violent protests, and soon the peaceful ones will be dead, in jail, or brainwashed.
That's just absurd. Violent protests have no place in a civil society. That is the whole point of free speech and the justice sys
Re: (Score:2)
Those zones shouldn't be necessary, and the permit filing was done long before they existed by many protesters in many situations, but the governments of many western countries, the USA and Canada included have a history of provoking these p
Re: (Score:3, Informative)
You only believe the protesters are fringe lunatics because of how they're portrayed on the news after the weirdness has erupted. Try finding a nice video of a blogger with a hidden camera at one of these protests from start to finish and you'll see what really goes on.
Nooooo... I live in NYC and have the pleasure to stroll through these protests every so often. Usually these people are what I would term professional or at least hobbyist protesters. They are largely from out of town. They tend to represent every insane cause you ever didn't want to know about. All the usuals are there, too. The free Tibet crowd, the "I don't eat this or that" crowd, the "free this wronged convict" crowd, anarchists, communists... maybe you don't consider these people fringe - but they ver
Re: (Score:2)
And so long as you believe that, the three-letter agencies running your semi-secret prisons will continue trampling the rights of your fellow citizens, denying them due process and denying you your privacy.
Re: (Score:2)
AFAIK, there is one "secret" prison in the US, and it is not very secret. It's bad enough that we have gitmo, don't make it sound worse than it is - you come off as disingenuous that way.
We've voted away our own privacy, and people regularly trade it away for things like discounts on groceries - so don't expect everyone to be on-board with you there, either.
Re: (Score:2)
NATO might be able to do it. Mostly representative democracies with oodles of free speech. They might not want it, though.
Re: (Score:3, Insightful)
Hell, I'd trust the greedy bastards at Verisign way before the UN.
But yeah, all those options kinda suck. ICANN is the lesser of the evils tough by a wide margin.
Re:None of the above (Score:5, Insightful)
And why should the UN be trusted with this? As another poster pointed out they are comprised of many nations that censor speech, expression, assembly and thought. On top of that they have been shown to be as (if not more) corrupt (Oil for Food in Iraq), Inept (Sierra Leone), and Impotent (Rwanda)...
Re: (Score:2)
Yet someone else who doesn't seem to understand what the UN actually is. I can only imagine you're making the mistake of confusing the UN security council with the UN as a whole.
The UN as an organisation consists of all but two countries in the world so yes, of course they're comprised of many nations that censor speech. They also consist of many nations that don't. The whole point in the UN is that it's an organisation that exists to oversee international systems, politics and disputes in such a way that a
Re: (Score:2)
The UN? Are you out of your mind? That is the most corrupt incompetent bunch of unelected bureaucrats that have ever existed.
What you want to do.. is you want to make sure the person who holds the key, does not have the power of force behind them.. that means you have to keep it out of the hands of government. ICANN is probably the best choice..
Who to control... (Score:5, Insightful)
Verisign
Pros:
Cons:
US Government
Pros:
Cons:
ICANN
Pros:
Cons:
I'm definitely of the opinion that ICANN should be running it. That said, I don't know everything about the matter, so perhaps there's something that would change my mind. I figure, though, that if it's not broken, don't fix it.
Re:Who to control... (Score:5, Interesting)
Addendum:
UN
Pros:
Cons:
I'd be interested in hearing reasons why people believe this is a good thing as well though.
Re: (Score:2)
Re: (Score:3, Insightful)
It does not really have to be the UN, it can be a non-profit organisation (legally) under UN. This would mean, of course, that those running it would get a huge power ... but they could not (would not necessarily) be persuaded to change policy by any government or lobbyists.
That would get rid of the bureaucracy and tyranny of majority, but could lead to tyranny of minority.
How that would work out in practice would be interesting experiment, to say the least. Whether trying is worth the risk ... well, let's
Re: (Score:2)
See, I thought about that too, but then I thought... well, that's basically ICANN.
Re: (Score:2)
ICANN is 100% ruled by USA laws and lawyers. In every case ruling who should own "foo.com" it _will_ rule for the USA company. Not good.
Re: (Score:2)
How about ISO?
(duck!)
Re: (Score:2)
UN ... # Could lead to a tyranny of the majority, what if a block of countries wanted censorship?
The rest of the Internet would just route around it.
Re: (Score:2)
Re: (Score:3, Informative)
I did, if you noticed. :^P
It doesn't have to be just one player (Score:5, Interesting)
How about using a threshold signing scheme?
Here's the ten kilofoot view: each participant p_{1..n} gets a piece of the key. If least t of them (for some 2 <= t <= n) cooperate, they can produce a signature on the input message.
It is widely held that separation of power into legislative, executive and judiciary is a good thing. Here, the roles would be symmetric, but you still get the benefit of no one body of people (or single person) being in control.
Here's an interesting thought: include some of the root server operators in the decision. I haven't done the formal proof, but my understanding is that it'd be simple to create weighted threshold schemes, such that if ten of the $n roots all agree, that counts as one "vote" in the usgov-icann-verisign calculation [just apply some general secure Multiparty Computation protocol to the computation of RSA-signing with Shamir secret shares of the private key]. And, as your child poster says, you may want to include the UN. Not being a citizen of 192 sovereign nations, I don't like the idea of any one nation having a disproportionately large influence over critical infrastructure, should we come to rely on a signed root zone [note: we don't now, because it isn't; that may be useful to put this issue into its proper perspective, or not...].
But no matter who the eligible parties are, I don't think any one of them should be in exclusive control. Use a threshold signing scheme to distribute the power.
Re: (Score:2)
Though at this point, I don't think any solution that gives any one person the literal key to the internet is a good one, so, on that point, I agree - f
Re: (Score:2)
In reality, it wouldn't affect too much of the normal use of the internet. Basically, whoever has control of this has control of creation and modification of top-level domains, like .com, .net, and .org, to a certain degree, in that they could enable or disable them, but not modify them directly (unless they disabled them and created their own modified version).
In theory, they could bring down the internet with such access though, so it is something worth serious consideration.
Re: (Score:2)
How would this impact simple host creation and DNS transfers though?
If the root is handled well, not at all. All that happens at the root zone is the creation and deletion of TLDs. Anything sub-TLD is handled by the entity(ies) responsible for their respective TLDs (such as Verisign, DK-Hostmaster or what have you).
If Verisign is the steward of both the root (in whole or in part) and the .com zone, they may be able to play tricks on us, but I'm not sure what those tricks are. Also, bear in mind that what we're (most likely) talking about isn't that you won't get a name,
Re: (Score:3, Insightful)
The problem is that this scheme might work now, but it is not very future proof. How would you avoid the issue of Participant A borging participants B through T, thereby owning enough pieces of the key to do whatever they want, no matter what Participants U through Z have to say?
This might happen with private organizations (companies get bought) or with states (Russia takes over Georgia's piece of the key, just going on what's in the news).
I think ICANN is still the least bad choice. Somebody has to be the
Re: (Score:2)
General Multiparty Computation protocols can be secured against strictly less than one third of the players being corrupted; corrupted here means that it deviates from the protocol, for instance by telling its secret to some other player because it in practice is under the control of the other player.
The simple version of how to handle it is that whenever someone deviates from the protocol, the honest parties reassemble the secret key and compute a new secret sharing; that is, everyone gets a fresh chunk of
Re: (Score:3, Insightful)
Why in the world would they give it to Verisign? I thought we were trying to move away from Verisign controlling anything other than .com (and I guess .net too)?
Verisign? (Score:4, Insightful)
I can't wait if they get it... Within a couple of years we will all have to start paying for DNS queries. Of course- they will offer to allow your query for free if they can insert ads into every site you go to.
Re:Who to control... (Score:4, Informative)
The problem is that that theoretical hosts file is already split among different entities; for example, Verisign controls the .com and .net registries, not ICANN. So, if you wanted to do that, you'd have to convince all of them to give up their control.
Re: (Score:2)
Biggest problem is the high frequency with which DNS can change (especially for individual networks)
Re: (Score:3, Funny)
ICANN IS INTERNATIONAL.
Re:Who to control... (Score:4, Funny)
CAPS LOCK IS CRUISE CONTROL FOR COOL.
(even cruise control [and slashdot filters] you still have to steer)
Re:Who to control... (Score:4, Funny)
I know, let's give it to Canada!
Re: (Score:2)
On behalf of Canada, I accept.
*gives himself a TLD for the hell of it*
Re: (Score:2)
Re: (Score:2)
We already have .CA and its fairly well-managed [www.cira.ca] too. We don't have all those strange domain hijackings and hijinx going on here because of how the registration system is managed.
Re: (Score:3, Funny)
Oh, no you don't. We don't want you blaming us AGAIN if something goes wrong.
Re: (Score:3, Insightful)
Latest I can find for UN payments is 2005 figures [unausa.org]; I wouldn't call the difference between $423M (USA) and $375M (Japan) all that huge a degree. And is the USA actually paying its dues now? In 2005 it owed almost a billion in unpaid dues.
Re: (Score:2)
When the OP talks about "funding the UN", he's not referring to dues. He's talking about actually paying for the activities of the UN, such as troops on the ground in hotspots, which many other countries are unwilling to do.
Of course, there's still a fuzzy line there - sometimes it can be argued that the US is just using the UN as a cover for their own activities (e.g., trying to get the UN to authorise an invasion of Iraq, then the entire Iraqi war would be considered a UN mandate, and thus count toward "
Re: (Score:2)
They ALREADY want that, which is why Europe, Russia, and China are all working on GPS replacements.
I believe DNSSEC is unnecessory... (Score:5, Informative)
I believe DNSSEC is unnecessary to counter the Kaminski attack.
See draft-weaver-dnsext-comprehensive-resolver-00 [ietf.org] for how I believe you can secure resolvers against attacks less powerful than MitM, including Kaminski (race-until-win) attacks.
Re: (Score:2)
I have not fully digested your draft, but I believe you are right. There are many proposed solutions that shore up DNS somewhat, as long as our random number generators are strong. That has traditionally proved difficult, and the random number generators have been the primary attack point time and time again. I also think that creating the solution by only looking at recent DNS attacks is short sighted. DNS has the possibility of becoming so much more then it currently is, if we can trust it.
We have leve
Re: (Score:2)
Unfortunatly, I disagree. The problem is DNSSEC is about securing DNS from in-path (MitM) adversaries. But in almost all cases, a DNS MitM can also be a MitM on the application.
If the application resists a MitM, it never trusted DNS anyway.
If the application doesn't resist a MitM, that the DNS resists a MitM is irrelevant.
Thus the net marginal increase in system security that DNSSEC offers is suprisingly low in my opinion, and our objective should be securing out-of-path resolvers against all adversaries
Re: (Score:3, Interesting)
I believe you missed what I said, or at least what I intended to say.
DNSSEC enables using DNS as the method of protection from MITM for other applications.
With DNSSEC you can distribute your SSH fingerprint in a signed DNS record. That would enable your application (SSH) to have a secure connection that can even withstand a MITM attack as long as you can verify the DNS signing keys, irregardless of whether or not you've ever connected to that server before.
The same sort of system can be used for email sign
Re: (Score:2)
Then all DNSSEC is is Yet Another CA Infrastructure.
And if you want an integrity-assured object store, why use DNSSEC? INstead, build an alternate application protocol that doesn't have silly record limits and the like in it.
Re: (Score:3, Interesting)
HTTP sucks too, but we use it because we all use it. Whatever we want to build gets a http implementation simply because everyone else uses it and understands it, and interoperability is king. In fact, a web service like http/SSL implementation is the only other real contender for a large scale PKI that has a snowball's chance in hell of being adopted. If DNSSEC fizzles out, I'll try that way.
DNSSEC is the best shot we have at world scale PKI because it's an incremental add-on to something we already have
I'd vote ICANN (Score:3, Insightful)
Re:I'd vote ICANN (Score:4, Insightful)
But surely (Score:2)
this isn't like the web where it helps (but is still far from ideal) to have a few central authorities who sign certificates for many entities? This sounds like it would be more of a central thing. Why not just self-sign and publish the key fingerprints in papers, journals and whatever?
Service your implementation (Score:2)
I in service to knowing what you say.
Give the keys to Jon Postel (Score:4, Insightful)
I can't think of anyone more qualified [ietf.org].
Yes, I know he's dead, but I still can't think of anyone more qualified.
Re: (Score:2)
Holding the root zone key is by definition part of the function of the IANA (one of Jon Postel's many jobs back in the day.) The IANA is the organization that manages the root zone. It has always been that way.
Since ICANN (or rather one internal division of ICANN) is currently the IANA, they would control the keys.
If a new IANA is appointed (and approved by the Internet Architeture board (who must approve any IANA appointment, since the maintains the registry of Names and Numbers assigned in the RFCs on beh
Lame choice is no choice (Score:5, Insightful)
"On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root -- ICANN, Verisign, or the US government's NTIA."
ICANN: Organisation situated in the US, can be heavily influenced and controlled the US government
Verisign: Private company that is only interested in profit and is situated mostly in the US thereby it can be heavily influenced and controlled the US government
NTIA: US government
CHOOSE: US, US, or US
American election time!
Oooh, I know (Score:2)
Give it to the EU, then just hope you never need anything changed.
It's only the DNS root, nothing critical to the internet working like IP address allocation or proper routing.
DNSSEC versus DNSCURVE (Score:2)
DNSSEC is a protocol similar to, but not compatible with DNS. It is difficult to deploy and requires much more powerful hardware than current DNS servers otherwise require. DNSSEC offers no security guarantee unless DNS is completely replaced with DNSSEC.
dnscurve [dnscurve.org], on the other hand, is fully backwards compatible with DNS, would be dead-simple to deploy, requires a fraction of the computing power than DNSSEC requires, and it can be deployed incrementally.
Re: (Score:3, Insightful)
Except that DNSSEC is DNS. Period. It isn't compatible with DNS, it is DNS. It simply adds some additional records that aren't normally present that a DNS server or resolver can, if configured to, use to verify that the responses come from a valid server. It's not difficult to deploy, all current DNS servers already implement it so it's already deployed. What's difficult is the process of generating the signature chains, since the validity of the signatures at any level depends on the signature chain back t
Verisign = US Government (Score:2)
Verisign preforms intercepts for the NSA. (how exactly they do with with pub/private key is unknown to me.. perhaps they have a copy of the private key).
http://wikileaks.org/wiki/Cox_Communications_Interception_Request_Worksheet_2008 [wikileaks.org]
I think it is absolutely a danger to freedom on the internet to have any Government in control of DNS.
Re: (Score:2, Funny)
Re: (Score:2, Funny)
I know i know, lets give it to some wallstreet bankers!
Re: (Score:2)
Or to ACORN.
Re:Those who do not understand DNS (Score:5, Interesting)
"Are doomed to reimplement it, poorly. Does anyone have any confidence that the US Government WONT mess this up completely? Give the key to Google or AOL or IBM or something. "
Those who don't understand DNS would recommend giving it to IBM.
Hi. I run the root server that was the first runner up in the contest to administer it, ahead of two other groups. We were actually asked by the gov to advise icann which we did until we realized all they were doing is using us to get away with what they wanted to do, instead of listening to advice on horrific problems. Hint: the mandate specifies icann is a membership organization and 10 years later you still can join and have a vote. Ahem.
During this time and for 5 years before that I run the a root to one of the alternative root zones.
If you think dnssec will fix the problem or that it's the right answer or that it will actually secure it then you and Dan Kaminsky haven't thought about it enough.
But if you wanna go ahead with the broken dnssec model the keys should be held by Paul Vixie. This is all his mess anyway and he already holds the keys to usenet.
Re: (Score:2, Funny)
Can I be the president of your fan club?
Re:Those who do not understand DNS (Score:5, Funny)
One key for Google flying oh so high,
One for Apple for without it fans would moan,
One for IBM what are based in Armonk, NY,
One for the Dark Lord on his dark throne
In the Land of Redmond where the Shadows lie.
One Key to rule them all, One Key to find them,
One Key to bring them all and in the darkness bind them
In the Land of Redmond where the Shadows lie.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Hong Kong Phooey?