Working Around Slow US Gov. On DNS Security 91
alphadogg writes "Last fall, the US government sought comments from industry about how better to secure the Internet by deploying DNSSEC on the root zone. But it hasn't taken action since then. Internet policy experts anticipate further delays because the Obama Administration hasn't appointed a Secretary of Commerce yet, the position that oversees Internet addressing issues. Meanwhile, the Internet engineering community is forging ahead with a stopgap to allow DNSSEC deployment without the DNS root zone being signed. Known as a Trust Anchor Repository, the alternative was announced by ICANN last week and has been in testing since October."
DNSSEC overrated (Score:3, Insightful)
It's not about security, it's just another way to collect toll on the information superhighway.
I'm sure the CAs are rubbing their hands in glee.
They're not only going to collect money for SSL certs for www.yourdomain.com. Now they get to collect money to sign the "yourdomain.com" DNS entry as well.
And Verisign gets to triple dip if not more.
Re:DNSSEC overrated (Score:4, Interesting)
To the contrary, DNSSEC could possibly kill the goldmine that is the SSL cert racket. That is, unless having your DNS entry signed somehow becomes a "value added" service you need to pay for extra.
I'm a layman here, but glancing at how DNSSEC works, I see no obvious way selectively signing some but not the rest of entries could work. This means, DNSSEC would provide a more secure way to give the public key to a viewer.
Instead of proving that the server's owner paid a sum to the CA, it would prove that the server's owner has control over the DNS entry.
If the above is correct, that's a good explanation why we don't have DNSSEC yet -- it would have a potential to kill the CA's income.
But if there is a way to selectively skip signing certain DNS entries, all your fears would be true.
DNSSEC is a good subsitute for paid-for CERTs (Score:5, Informative)
You may be a layman, but you appear to have far more clue about this stuff than most. Yes, once DNSSEC [wikipedia.org] is deployed, anyone with a domain name can publish CERT records [wikipedia.org] and have about the same security as a paid-for CERT. Granted the cert authorities right now require you to give your name and address and such, which publishing CERT records in the DNS won't require so they aren't exactly the same, but close enough considering how little checking the cert authorities do on such information
Re: (Score:1, Offtopic)
Acronyms confuse me.
>>>it's just another way to collect toll on the information superhighway. I'm sure the CAs are rubbing their hands in glee.
Say what? CAs?
>>>DNSSEC could possibly kill the goldmine that is the SSL cert racket
DNSSEC? SSL?
>>>once DNSSEC is deployed, anyone with a domain name can publish CERT records
CERT? IRL? AFK? LOL? What? I understood the word "toll" and it struck fear into my heart, but the rest of what ye are saying is incomprehensible to my tiny litt
Re: (Score:2)
Get with the program, these are not obscure acronyms by a long shot.
CA = Certification authority
SSL = Secure socket layer
DNSSEC = Domain Name System Security Extensions
Cert = Certificate. The leaf nodes of the "chain of trust"
Re: (Score:2)
In that case if someone does an MITM (or other) attack, how do you know the published SSL cert in a DNS record is really the genuine cert?
After all during the attack, the attacker could publish his own SSL cert as a DNS record. The attacker can pretend to be the dns server as well as the webserver or other server the victim is going t
Re: (Score:1, Informative)
DNSSEC does not encrypt DNS responses, but it authenticates them. That's the whole point.
If your browser connects to slashdot.org, the root server will reply with records which are signed with the private root key. The public key for the org domain is one of those records. Your computer verifies the records with the public root key, which is stored in the resolver configuration. The org server will respond with records which are signed with the private org key. The public key for the slashdot.org domain is
Re: (Score:1)
"This theoretically enables the domain owner to publish his SSL certificate as a DNS record, sidestepping the whole SSL certificate authority hierarchy and the associated fees"
In that case if someone does an MITM (or other) attack, how do you know the published SSL cert in a DNS record is really the genuine cert?
Same way you know that a cert is genuine in SSL: a chain of trust. The browser will come hardcoded with a handful of root certs. Any certificate that's not signed (directly or indirectly) by a root certificate will be ignored. Only a very limited number of parties, perhaps domain name registrars, would be able to sign functional certificates. Therefore you can't forge a DNSSEC certificate unless you can compromise one of these small number of keyholders, which is likely to be difficult, and which can be
Re: (Score:2)
OK if that's the case how does this sidestep fees (see what I'm replying to)?
Are you so sure it's all going to be done for free?
Isn't this more likely to happen:
. (root) signs .org and .com etc and charges them $$$$$$$/year .com charges $$/year per domain to sign cnn.com, ebay.com, google.com .org charges $$/year per domain to sign slashdot.org, kernel.org etc
The DNSCurve isn't as amenable to "toll/fee extraction" as DNSSEC is.
See: http://www.dnssec-deployment.org/documents/03-03-Mohan_GTLD_PLANS.ppt [dnssec-deployment.org]
"Curren
Re: (Score:1)
OK if that's the case how does this sidestep fees (see what I'm replying to)?
Are you so sure it's all going to be done for free?
Isn't this more likely to happen:
. (root) signs .org and .com etc and charges them $$$$$$$/year .com charges $$/year per domain to sign cnn.com, ebay.com, google.com .org charges $$/year per domain to sign slashdot.org, kernel.org etc
All possible in principle, but whether it happens in practice depends on who does the signing. The scenario you describe could perfectly well happen right now with DNS. The root registrar (ICANN) could charge an exorbitant sum of money to be the .com registrar, maybe selling it to the highest bidder with no strings attached; and then the .com registrar (VeriSign or whoever) could charge $1000/year for all .com domain names. But this hasn't, in fact, happened. If the root certifier for DNSSEC is ICANN, w
DNS for LOLCATS (Score:2, Funny)
"Acronyms confuse me."
Then you can has cheeseburgers.
SSL with no, or a bogus cert = "I has encryption. But I might be not be is cat. Might be is dog!"
DNSSEC = "I is cat. You know I is cat"
Re: (Score:2)
DNSSEC = "I am called cat, and nobody is pretending to be me, but I may be a dog"
Proper SSL cert = "I am called cat, I am cat, I can prove I'm cat"
Re: (Score:2)
To be fair, with the verification done for cheap certs, that's all most SSL Certs assure you of anyway.
Just because I have an SSL Cert doesn't mean I am a reputable entity or that I don't lie. (Unless you were referring to EV Certs in which case you have more of a point.)
Re: (Score:2)
Well I said "proper" for a reason, and I should've clarified but didn't. I meant a properly validated cert that actually means something beyond "yeah, your communications with this site are encrypted and probably won't be hijacked."
Personally, I only truly respect secure websites that require client certificates as well.
Re: (Score:2)
To the contrary, DNSSEC could possibly kill the goldmine that is the SSL cert racket. That is, unless having your DNS entry signed somehow becomes a "value added" service you need to pay for extra.
SSL also protects against other threats, such as route poisoning and eavesdropping, neither of which are DNS-related threats. To say that DNSSEC replaces all that is just plain wrong.
If you think that the commercial CAs are running a racket, you don't need to take part. Really. FWIW, I use SSL with a custom CA just fine across some of the servers I look after; we can just distribute the CA certificate manually just fine too, since it is a limited problem space. For your own stuff, that's actually ideal sinc
Re: (Score:2)
SSL also protects against other threats, such as route poisoning and eavesdropping, neither of which are DNS-related threats.
No one is talking about replacing SSL. It's about replacing the way you receive the server's public key.
Currently, the key is provided by the very server you're connecting to, with the only assurance the key is kosher being a signature of a CA on the key. The CAs will happily sign any key if they are paid. In theory, they are supposed to verify the name attached to the key, but that theory has nothing to do with practice.
If you think that the commercial CAs are running a racket, you don't need to take part.
Ok, then try using a self-signed certificate. That would be strictly better than pl
Re: (Score:2)
OK let's assume the root cert doesn't have anything to say.
But you should go to the next obvious step/question: How much will the entities holding the
Free? Really?
As I've said, DNSSEC is not about security it's about creating a way to collect mo
Re: (Score:2)
But you should go to the next obvious step/question: How much will the entities holding the .com and .org keys charge for signing cnn.com, slashdot.org and so on?
Presumably, exactly the same amount they currently charge for those domain names. Isn't the idea to make it the standard, so that whenever you buy a domain name you also get whatever signatures/keys/etc you need to be able to make dnssec work on your domains?
1) If you are using https/ssh/ipsec/openvpn properly, and someone spoofs your dns so you attempt to connect to the wrong server, you will get a warning/error. So what is DNSSEC's added value here?
Or you'll just get an unencrypted page and no error, and only notice if you're actually paying attention.
So someone tell me, what real value does DNSSEC add?
It prevents spoofed DNS responses, even if there is a mitm. This means that you can use DNS for public key distribution (so there's no reason to eve
Re: (Score:2)
f you think that the commercial CAs are running a racket, you don't need to take part. Really. [...] You only need the CAs when you are communicating with people who don't already know you
So you do have to take part, because the browser makers have decided that self-signed SSL is deserving of error messages due to being somehow less secure than plain http. Therefore making it a "racket" instead of just a "scam".
Re: (Score:2)
So you do have to take part, because the browser makers have decided that self-signed SSL is deserving of error messages due to being somehow less secure than plain http. Therefore making it a "racket" instead of just a "scam".
No, browser makers have decided that certificates not added to their 'trusted' certificate list are deseerving of error messages due to it being the way encrypted communications are supposed to work.
Re: (Score:2)
T
Re: (Score:1)
I understand why we didn't start with SSL as the default 15 years ago, but we could fix that now.
Computational costs for SSL are apparently not trivial, from what I've been told. Moreover, any kind of encryption completely kills caching proxies, which are essential to performance for a lot of large sites. Wikipedia uses Squids that can serve 3000 req/s per server easily on cache hits. The reason they can do this is because once the cache entry is located, it's simply a matter of instructing the OS to copy a string of bytes from a memory address to a network port and close the connection. There's no
Re: (Score:2)
f you think that the commercial CAs are running a racket, you don't need to take part. Really. [...] You only need the CAs when you are communicating with people who don't already know you
So you do have to take part, because the browser makers have decided that self-signed SSL is deserving of error messages due to being somehow less secure than plain http. Therefore making it a "racket" instead of just a "scam".
It's not a scam. It would just be plain stupid to accept an SSL certificate that was signed by anyone. Just because a site says "Hi, I'm eBay!" doesn't mean that it is. CAs sign the certificate as "proof" that it is really eBay.
Re: (Score:2)
It's not a scam. It would just be plain stupid to accept an SSL certificate that was signed by anyone. Just because a site says "Hi, I'm eBay!" doesn't mean that it is. CAs sign the certificate as "proof" that it is really eBay.
No. It would be stupid to give all the special UI cues for a secure site, with an unverified certificate. SSL with an unverified certificate is approximately as secure as plain http with no encryption, and should be treated the same. (And "signed by any random CA, maybe even a different one than last time" should not be the same as "verified", but that's a different stupidity...)
Re: (Score:2)
It is safe to say "DNSSEC suks" in Slashdot and get "Insightful" mod, because, hey, there are many tinydns admins out there :)
If more serious, DNSSEC has valid criticisms, but this post just reeks flaming.
Re: (Score:3, Informative)
Re: (Score:1)
Re: (Score:2)
Re Verisign. If the US government is sincere about listening to the public, the overwhelming majority of comments were fine with just having ICANN "sign the root" leaving Verisign (0 votes) out of the equation. Listening to the global Internet community would be a big step by the new Administration toward rebuilding America's reputation overseas.
As I understand it, the overseas opinion is that Americas 'reputation overseas' was destroyed when that 'crook' Bush 'invaded' Iraq.
So you're telling me those same nutjobs are suddenly going to forgive America because some low-level dork in a new administration signs the DNS root?
Note to self: Left-wing nut jobs are even crazier than I thought.
Re: (Score:2)
> As I understand it, the overseas opinion is that Americas 'reputation overseas' was
> destroyed when that 'crook' Bush 'invaded' Iraq.
No. said "reputation" was "destroyed" when Bush was classified as "right wing" (not that they weren't justified in being cautious during the eight years that the White House was occupied by the stupidest man to ever serve as President).
> So you're telling me those same nutjobs are suddenly going to forgive America because
> some low-level dork in a new administra
Re: (Score:1)
the White House was occupied by the stupidest man to ever serve as President
Do you have any concrete evidence to back up this assertion? I'm pretty sure a lot of past presidents have been characterized as idiots by their political opponents. On the other hand, while you might not have to be a genius to get a BA from Yale and an MBA from Harvard, I'd imagine it would be fairly hard if you're genuinely stupid.
Re: (Score:2)
"Left wing nuts" are exactly as crazy as "right wing nuts": totally insane.
Yes I am. ;)
And a good thing too. (Score:3, Insightful)
Apart from the certificate trust scam ("trust us, for you give us money"), too many non-us governments (and non-us non-governmental people, natural or otherwise), won't accept a us govt held root. And why should they?
Yes, arguably a fragmented root it not as good as it should be, but a root held by a single entity, especially one as "trustworthy" as the one with the power to push this through, might, in the long or not so long term, easily cause a plethora of split DNS universes. Which is lots worse.
It really is too bad that the most vocal people with the technical knowledge to understand the impact choose to ignore the politics involved. Yes, smart move people, that will make the issues go away real good.
Re: (Score:2)
I think a fragmented root is ideal, as long as its clear who you are trusting i would rather have the EU sign off on some, US on others, Russia/china on theirs, there is no need to get everything signed by the US (in fact politically AND technically it is a much worse solution).
Is there some reason they can't just put multiple signatures on the records, so the US, Russia, China, etc, could all sign the entire root if they wanted to?
Use DNSCurve (Score:5, Interesting)
DNSSEC rely on having a central "trusted" authority to sign all the dns keys. Not even speaking about the inherent security issues with this model, that means that everyone will depend on a single authority for name resolutions (sure Network Solutions loves this)
DNSCurve is a much better solution in that it offers a trust system without the need of a central authority. The key is embedded in the DNS name server (NS) hostnames which are always returned by the upper level name server.
See http://dnscurve.org/index.html [dnscurve.org]
Re: (Score:2)
Re: (Score:2, Interesting)
Trust is the same for DNSSEc, it's just that instead of using the root servers as a trust chain, you use a 3rd party that every domain owners had to pay for.
I hardly doubt many institutions will actually pay for signing their zones. o me it's more DNSSEC which is a hype and I'm under the impression many people pushing for it just don't know the implications (they just want to secure DNS).
DNSCurve is much easier to implement than DNSSEC and and also advantages in term of cryptography speed and increase of tr
Re: (Score:2)
Trust is the same for DNSSEc, it's just that instead of using the root servers as a trust chain, you use a 3rd party that every domain owners had to pay for.
DNSCurve does not require you to pay any third parties, it is like DNSSEC where you publish your own information. Both technologies are (or in the case of DNSCurve, will be) free.
DNSCurve is much easier to implement than DNSSEC and and also advantages in term of cryptography speed and increase of traffic.
DNSSEC has many years of actual deployment, not as wide spread as it needs to be, but it has been out there and tested.
Can you point me to a single implementation of DNSCurve? Can you even point me to a specification of what exactly it is? I've looked, and the best that I can tell, there aren't any. More over, it doesn't appe
Re: (Score:1)
DNSSEC has many years of actual deployment, not as wide spread as it needs to be, but it has been out there and tested.
Can you point me to a single implementation of DNSCurve? Can you even point me to a specification of what exactly it is? I've looked, and the best that I can tell, there aren't any. More over, it doesn't appear that DJB's website has been updated since he proposed DNSCurve last year.
From the namedroppers mailing list (IETF) there have been report of independently built client and server implementing DNSCurve. I alto trust Daniel J. Bernstein to update tinydns & dnscache as required if it gets adopted. Note that Microsft and Apple, who both have a good share of DNS servers out there, do not have a DNSSEC implementation yet.
The implementation is also much simpler than DNSSEC.
Re: (Score:2)
According to their site [dnscurve.org], it would be possible to just put a DNSCurve cache in front of your authoritative DNS server and not need to change the latter at all.
Re: (Score:2)
DNSSEC rely on having a central "trusted" authority to sign all the dns keys. [...] that means that everyone will depend on a single authority for name resolutions
Uhm... No?
The root key signs the ".org" key, the .org key signs the "slashdot.org" key, etc. Unless the owner of the root key and the .org key is one and the same, you don't have the root controlling whether slashdot can get signed, and you don't have .org controlling whether .com can get signed (and what can get signed under .com).
DNSCurve is a much better solution in that it offers a trust system without the need of a central authority. The key is embedded in the DNS name server (NS) hostnames which are always returned by the upper level name server.
Uhmm... so in DNSCurve you don't need to trust the root? Also, DNSCurve offers integrity of the communication, not integrity of the data. That means if I'm the MITM between yo
Re: (Score:1)
DNSSEC rely on having a central "trusted" authority to sign all the dns keys. [...] that means that everyone will depend on a single authority for name resolutions
Uhm... No?
The root key signs the ".org" key, the .org key signs the "slashdot.org" key, etc. Unless the owner of the root key and the .org key is one and the same, you don't have the root controlling whether slashdot can get signed, and you don't have .org controlling whether .com can get signed (and what can get signed under .com).
Go back to the specs. Every keys has to be signed by Network Solutions, and you must update your signatures every 3 month. If you have >100 domains to manage you sure can understand the pain :)
DNSCurve is a much better solution in that it offers a trust system without the need of a central authority. The key is embedded in the DNS name server (NS) hostnames which are always returned by the upper level name server.
Uhmm... so in DNSCurve you don't need to trust the root? Also, DNSCurve offers integrity of the communication, not integrity of the data. That means if I'm the MITM between you and your DNS resolver, assuming you don't connect to the resolver in a secure manner, I can still spoof all the DNS data I want to. That's not possible when the data is signed (or at least it appears to be equivalent to the problem of breaking the cryptography).
At least, this is how I understand it. I welcome any corrections :)
DNSCurve is a trust chain. You have to trust the root and every server in-between to guarantee integrity. Once implemented from the root to the final authoritative server the trust is complete. It doesn't require any modification to registrar interfaces to managing it though, as all you need is to change your NS ho
Re: (Score:1)
Every keys has to be signed by Network Solutions, and you must update your signatures every 3 month.
Well, actually it seems that I relied on confusing information - the truth is that the domain owner has to sign it, it just happens that Network Solutions will be the one signing all .com's and probably a bunch of other ones.
Re: (Score:2)
And "only" the people with
Is that really such a big improvement in practice compared to one root authority?
How much do you think they will charge to sign
If the technology is really independent from all that "trusted authority signing" stuff, then it will necessarily also be vulnerable to MITM (and spoofing) attacks, unless the client has
Re: (Score:1)
Not quite. The "root key" will sign the root zone, and all the delegations for the TLDs (.com, .org, .ca, .uk, .gov, etc.)
The TLDs will then sign anything below them. So the .com key will sign the delegation to google.com, and the .org key will sign the delegation to slashdot.org.
It will be then be up to each organization to sign their own records, and possibly delegate any sub-domains.
Basically it's one large set up of PGP key-sign and webs of trust.
True. I've been a bit mislead... There's still a whole lot of domains that will be signed by network solutions though.
While DNSCurve sounds interesting (like a lot of Bernstein's stuff), besides his software, what uses it?
Actually his software does not even implement this yet (I guess he's looking to see if it gets traction from the rest of the world first). Besides, I read on an IETF list about people who independently wrote a client and server implementations. It is simpler to implement than DNSSEC in many aspects too.
Re: (Score:3, Insightful)
I think Washington would still be protecting the horse breeders and the stable hand union.
Re: (Score:2)
I'd argue that one function of government is to fund and/or conduct research that wouldn't be economically viable in a for-profit organization. The space programs contributions to technology have already been well cataloged on slashdot and elsewhere.
Re: (Score:2)
Yes and those NASA-based advances only cost us 1 trillion dollars! What a bargain. Oh wait. No. Had those advances been developed privately, like velcro, they'd only cost 1/100th as much. The Market with its competitive natural selection and cost-cutting mechanism ("invisible hand") is naturally more efficient than politicians.
As for cars:
Well we saw what the government can produce. East Germany's government produced the 2-cycle Trabant, which you can smell coming a mile away, and that still used 50s
Re: (Score:2)
On the other hand- US healthcare VS UK NHS
Somehow the US private healthcare is vastly more costly per person per year and worse at actually treating people who are sick.
Yes for the majority of things private enterprise is better at providing it (as in the case of tfa) but it isn't always the case.
Not perfect but if it's something people can want and then save up to afford it then private enterprise works great.
I want Xbox,I don't have the money,I work hard, I save up, I buy it.
On the other hand if part of t
Re: (Score:2)
Re: (Score:2)
Honestly I think that it would have made more sense to leave space alone until tech reached a point where private enterprise could get there profitably but there was that whole international pissing contest.
On the upside it gave a generation an interest in science.
And there are sometimes things which while not profitable are still worth doing like certain kinds of research.
More on this, at 11 (Score:5, Insightful)
Follow-up at 11:05 (Score:2)
In other news, the Internet is seeing the government as damage and routing around it.
Funny, I thought it was always the government seeing the Internet as damage and trying desperately to route around it ;-)
Re: (Score:2)
Good.... (Score:2)
Maybe the US Gov. is wise to slow the deployment of DNSSEC. The current design of DNSSEC basically lays out your entire catalogue of DNA entries for anyone to lookup.
Now nobody wants security though obscurity but at the same time nobody wants to give the bad guys a long list of potential targets or a network diagram.
While several solutions to this issue have been suggested most of them flat out fly in the face of how DNSSEC is designed to work.
Re: (Score:1)
Re: (Score:2)
I don't want to rely on obscurity exclusively, but it's certainly a valuable security tool I wouldn't want to give up unnecessarily.
Re: (Score:2)
Now that was certainly an interesting typo.
Small quibble (Score:2)
"...because the Obama Administration hasn't appointed a Secretary of Commerce yet..."
That reads like the administration has been lax in getting the position filled. Hopefully the third time's a charm:
http://voices.washingtonpost.com/thefix/2009/02/locke_to_commerce.html?hpid=topnews [washingtonpost.com]
I welcome our Washingtonian overloards (Score:2)
As a resident of the evergreen state, I'm stoked to see another one our intelligent, liberal, tech-friendly public servants appointed to a federal position:
(from the WP article in parent)
Locke is thoughtful, and having him in charge of the US's interest in IANA sounds li
Government is always slow. (Score:2)
And it supposed to be so by design, It makes sure that we jump back and forth and fly on every whim that everyone has.
That said the downside it is creates a Failure based culture where it is not what you do right that promotes you but what you do wrong that will get you fired, or prevented from promotion. So for many initiatives no one is willing to put there neck out and push the project. So the DNSSEC is on a list of things to do thats fine, you make sure you have other things on your list and wait until
DNS Converter Box Coupons (Score:1)
.gov is signed. (Score:1)
dig +dnssec @a.gov.zoneedit.com. gov.
Re: (Score:2)
The TLDs can be signed all they want but if the root isn't signed it doesn't matter without technology like the article discusses.
The root is the invisible dot at the end, not the TLD. It's *above* gov in the hierarchy.
Re: (Score:1)
The trust anchors work. I don't see what the problem is. I use a trust anchor on my DNSSEC deployment because the root isn't signed.
There will be pressure to get the roots signed as more and more TLDs are signed. .gov, .org, plus the plethora of CCTLDs.
Re: (Score:2)
Right, I was just saying that there is a need for this type of technology because without it and with just standard DNSSEC the root needs to be signed.
Alternatives (Score:2)
Known as a Trust Anchor Repository, the alternative was announced by ICANN last week and has been in testing since October.
Ah, so the other alternative, look-aside validation [isc.org], currently run by the ISC and something I've been using for ages isn't a solution? OK, I'll stop using it right now...
Clues. Isle nine. I'd get one, were I you. ICANN ain't the only game in town.
ISC DLV repository updates (Score:2)
Why does this depend on the Secretary of Commerce? (Score:2)
The main thing that I'm not understanding is why the US Secretary of Commerce is responsible for specific technology decisions on the DNS.
Surely the political appointee to that post will not be qualified in any capacity to dictate the specifics about DNSSEC deployment.
Additionally, does the US Government still exert so much direct control over the DNS? I thought they divested their control to ICANN, so they could at least appear to not be thugs running the internet for their own benefit. However the ICANN