michael.dillon@bt.com wrote:
Very interesting because it is the second story on the list this weekend which highlights that DNS domain registries (and ultimately the root zone) are a single point of failure on the Internet. Wouldn't the holder of these keys be the only ones able to spoof DNSSEC? And if the criminal community ever cracks DHS (through espionage or bribery) to acquire these keys, what would be the result.
A single bodied government which holds the keys to this is quite possibly a bigger problem than what we currently have. Way too much censorship if you ask me. Not to get super political here, but there is far too much going as it is concerning what can be said, shown, viewed by too many organizations in power as is.
Given that the existing DNS is built around two disctinct classes of IP address, i.e. stable ones that always lead to a root nameserver, and unstable ones which lead to other Internet hosts, could we not design a more flexible naming system around that concept? Could we not have more than 13 stable IP addresses in the net? Could we not leverage something like route servers in order to find the root of a local naming hierarchy?
Problems I can see with this would be when someone on the P2P begins injecting false data into a stream. How would the mesh be structured so as to avoid this. Perhaps using the same methods as ICANN, or NANOG, a group of say 50 companies can be designated the task of maintaining root servers on a revolving basis. The server could be configured in secure fashion (whatever this means nowadays) with maybe checksums and pass off the information to one another. E.g.: Verified Lookup User --> whois something.com --> nameserver1 nameserver1 --> I see something.com at 11.11.11.11 --> nameserver2 nameserver1 --> where do you see it nameserver2 nameserver2 --> I see it at 11.11.11.11 --> nameserver1 nameserver1 --> something.com is at 11.11.11.11 --> User Problematic Lookup User --> whois something.com --> nameserver1 nameserver1 --> I see something.com at 11.11.11.11 --> nameserver2 nameserver1 --> where do you see it nameserver2 nameserver2 --> I see it at 22.11.11.11 --> nameserver1 nameserver2 --> where DO YOU SEE something.com --> nameserver3 nameserver3 --> something.com is at 11.11.11.11 --> nameserver1 nameserver1 --> After double checking go to 11.11.11.11 --> user Creating entries: nameserver1: something.com is at 11.11.11.11 let's create a hash # sample hashing using md5 and sha $ echo "something.com 11.11.11.11"|shasum 8cb7294f15be3f5b95d24f0e9bf77a57d95345fb $ echo "something.com 11.11.11.11"|md5 c48af0b24a9014ccdce8b1233ffbb052 Both combined: 8cb7294f15be3f5b95d24f0e9bf77a57d95345fbc48af0b24a9014ccdce8b1233ffbb052 Enforced Lookup: User --> whois something.com --> nameserver1 nameserver1 --> Let me check my entry... nameserver1 --> 8cb7294f15be3f5b95d24f0e9bf77a57d95345fbc48af0b24a9014ccdce8b1233ffbb052 nameserver1 --> After checking go to 11.11.11.11 --> user Re-enforced Lookup: User --> whois something.com --> nameserver1 nameserver1 --> Let me check my entry... nameserver1 --> 8cb7294f15be3f5b95d24f0e9bf77a57d95345fbc48af0b24a90XXXXXXXXXXXXXXXXXXXX nameserver1 --> Not what I have. What do you see --> namerserver2 nameserver2 --> 8cb7294f15be3f5b95d24f0e9bf77a57d95345fbc48af0b24a9014ccdce8b1233ffbb052 nameserver2 --> Something fishy there --> nameserver1 nameserver1 --> Unresolved domain --> User Any nameserver can now compare that kind of hash before it sends out replies. If the hash matches, it's legit, if not, obviously there's a problem. What I can see happening with something like this would be DNS administrators having to recalculate hashes whenever they renumber one of their machines. Something like this would also deter "criminal gangs" from fiddling with DNS since it would likely be too difficult to counter. Hijackings could possibly cease, as well as the possibility of reducing malware if done correctly. My guess is load balancing, round robin DNS, etc., could affect this, but I'm sure other engineers here can figure out something better than allowing any government from intervening and trying to maintain what's perhaps one of the most fragile functions on the Internet. Maybe even multiple checksums for sites doing above-mentioned (load balancing, etc.) -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams