All, this was inaccurate reporting and no organizational entity has been specified to be the "master key" signer. There has been much discussion about moving DNSsec forward by our S&T folks to increase the level of security provided but we've been very much a facilitating role through S&T's work in this space. If Doug is lurking out there he can provide much more info or insight into this. Jerry ----- Original Message ----- From: <michael.dillon@bt.com> To: <nanog@merit.edu> Sent: Monday, April 02, 2007 4:23 AM Subject: RE: America takes over DNS
The US Department of Homeland Security (DHS) ... wants to have the key to sign the DNS root zone solidly in the hands of the US government. This ultimate master key would then allow authorities to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system's root zone on the Internet. The "key-signing key" signs the zone key, which is held by VeriSign.
Very interesting because it is the second story on the list this weekend which highlights that DNS domain registries (and ultimately the root zone) are a single point of failure on the Internet. Wouldn't the holder of these keys be the only ones able to spoof DNSSEC? And if the criminal community ever cracks DHS (through espionage or bribery) to acquire these keys, what would be the result. I just don't see how adding another single point of failure to the DNS system, in the form of a master key, helps to strengthen the DNS overall. It is probably time to start looking at alternative naming systems. For instance, we have a much better understanding of P2P technology these days and a P2P mesh could serve as the top level finder in a naming system rather than having a fixed set of roots. We have a better understanding of webs of trust that we could apply to such a mesh. Given that the existing DNS is built around two disctinct classes of IP address, i.e. stable ones that always lead to a root nameserver, and unstable ones which lead to other Internet hosts, could we not design a more flexible naming system around that concept? Could we not have more than 13 stable IP addresses in the net? Could we not leverage something like route servers in order to find the root of a local naming hierarchy? Now that well-educated and technically sophisticated criminal groups are attacking the DNS on multiple fronts, we need to be looking at alternatives to DNS for naming hosts. We need to get such alternative systems out into the wild where they can be tested. To date, we have seen some small amount of innovative thinking around DNS that has been tested. For instance, alternative roots which have failed in the wild and anycasting which has been a great success. But these things do not address the core technical problems of the whole DNS system. --Michael Dillon