Forgot your password?
typodupeerror
The Internet Censorship Privacy Politics

DNSSEC and the Geopolitical Future of the Internet 70

Posted by timothy
from the but-everyone-loves-the-king dept.
synsynackack writes "The Register reports that the DNSSEC protocol could have some very interesting geopolitical implications, including erosion of the scope of state sovereign powers. The chairman of ICANN, Peter Dengate-Thrush, explained, 'We will have to handle the geo-political element of DNSSEC very carefully.' Experts also explained that split DNS and the DNSSEC protocol don't match very well; technically, it is possible for someone at the interface of the global Internet and a country-wide Internet to strip electronic certificates attached to data and repackage the data with a new one."
This discussion has been archived. No new comments can be posted.

DNSSEC and the Geopolitical Future of the Internet

Comments Filter:
  • by AdmiralXyz (1378985) on Sunday May 09, 2010 @03:48PM (#32148918)
    From TFA:

    Jim Galvin of Afilias, an expert in DNSSEC, warned that a “split DNS” – where a country effectively sets up its own Internet within its borders and controls access to the global Internet - and the DNSSEC protocol “do not match very well”.

    Isn't that a good thing?

    • Depends on whether the global internet is impacted by the country's shenanigans.
    • by BitterOak (537666)

      From TFA:

      Jim Galvin of Afilias, an expert in DNSSEC, warned that a “split DNS” – where a country effectively sets up its own Internet within its borders and controls access to the global Internet - and the DNSSEC protocol “do not match very well”.

      Isn't that a good thing?

      Depends who you are. If you are running the global Internet, it's good. If you're running a local or national Internet, it's bad. Pretty much all technology is that way: potentially good for some, bad for others.

      • Re: (Score:3, Insightful)

        by vlm (69642)

        If you're running a censored local or national Internet that depends on injecting falsified DNS responses, it's bad.

        Fixed that typo for you. Note that it has little to no interaction with IP-level blocking or "semitransparent" web proxies, don't worry, China can still oppress their subjects.

    • Not when a judge in East Texas starts blocking sites in other countries because he feels like it.

      • by hitmark (640295)

        the net seems less unstoppable when one consider the "border" routers...

      • Speaking as a U.S. national, I'll gladly take my chances in Marshall. At least with the Texan, there's Due Process and Separation of Church and State and the First Amendment and a ton of case law that supports a (generally) liberal democratic system. It isn't perfect, but it's a hell of a lot better than having the religious police or totalitarian oligarchs make civil rights judgments.

  • by alexandre (53) * on Sunday May 09, 2010 @04:06PM (#32149010) Homepage Journal

    Another attempt to solve things in a hierarchical way that should have been rather fixed with p2p web of trusts so country and trust their own servers with a great degree than outside ones...
    But no, centralized control is much more fun in the eyes of politician who care more about guaranteeing their retirement than freedom for everybody.

    • by Anonymous Coward on Sunday May 09, 2010 @04:12PM (#32149040)
      Your user ID (53) is not only very low, it is also the port number that dns queries are sent to.
    • Re: (Score:3, Insightful)

      by vlm (69642)

      Another attempt to solve things in a hierarchical way that should have been rather fixed with p2p web of trusts

      False dilemma. You can do both at the same time. BGP IP routing on the net overall is vaguely hierarchical in regards to whom pays for transit and whom peers for free, but is vaguely p2p web of trust in that the DFZ pretty much trust each other to share good routes, or at least folks trust each other at carrier hotels. Some carriers trust some of their customers so much they're practically peering, in that they don't filter their "customers" advertisements, some not so trusting. Whats more P2P than an I

    • by John.P.Jones (601028) on Sunday May 09, 2010 @04:38PM (#32149150)

      DNS names are hierarchical. Each TLD is granted authority to manage its subsequent names as it sees fit and so on. Any attempt to secure this system should mirror the authority of the names themselves. Each country can control the distribution and authentication of names within their own TLD and DNSSEC just provides the appropriate level of cooperation for any client to read and validate those signatures.

      Decoupling the hierarchical nature of DNS from a separate authentication mechanism that didn't follow this grain would be needlessly complex and could result in ambiguous or inconsistent results.

      • Re: (Score:3, Insightful)

        by alexandre (53) *

        The fact that you can't get a domain for 0$ implies that this is hierarchical and not free in any sense of the word which worries me and implies struggle about who controls the distribution... I'm no expert on BGB / DNS though.

        And yes, p2p usually implies a less than 100% reliability and you might get conflict of namespace or some such problem, but it usually gives users a fairer share in the network and makes the user a citizen instead of a consumer.

        Though, this might not be so much of a "p2p vs hierarchic

        • by marka63 (1237718)

          The fact that you can't get a domain for 0$ implies that this is hierarchical and not free in any sense of the word which worries me and implies struggle about who controls the distribution... I'm no expert on BGB / DNS though.

          Firstly, you can get domains for $0. I have one. I also have ones I pay for.

          Secondly, there are real ongoing costs to be covered and the small costs associated with most parent domains are reasonable or do you expect to everyone to give you a free lunch?

          • Re: (Score:3, Interesting)

            by alexandre (53) *

            I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?

            And you do realize that domains like .biz, .info, .jobs, and all those new weird domain were only created because they knew every company wouldn't risk not registering their name everywhere they could and that would give them a huge revenue source? Centralized political corruption indeed...

            And I'm paying already to get connected, everything should be "intelligence at the border", I'm p

            • by marka63 (1237718)

              I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?

              While cryptographic hash will identify things they leave a lot in terms of usability. <whatever>@<short>.freenet does not scale.

              And you do realize that domains like .biz, .info, .jobs, and all those new weird domain were only created because they knew every company wouldn't risk not registering their name everywhere they could and that would give them a huge revenue source? Centralized political corruption indeed...

              I once said to Jon, over lunch, we should get rid of GTLD's. There are very few GLTD's that are useful. That said GTLDs != DNS.

            • by Lennie (16154)

              "I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?"

              What is really nice about the internet, you don't need domainnames to connect, you can connect with anyone from anywhere, usually, domainnames just make it easier to remember. And most systems which are connected to the internet have something which helps to keep an index. For example many people use something like Google to find websites. If your information is relevant to them, you

              • by alexandre (53) *

                Indeed, we can always use just IPs but that's loosing a lot of functionality. And google is definitely a worst alternative than the actual DNS system which is at least a bit decentralized :-)

            • by dkf (304284)

              I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?

              You also know jack shit about the trustability of the information on those systems. Sturgeon's Law applies. If you do something about that (e.g., through a reputation service) then you're setting something up as an authority.

              • by alexandre (53) *

                Yes, and that's exactly the point, when using a web of trust multiple people, you choose yourself, become your authority and you can switch them when you feel cheated.

                Right now i have to trust big banks or certificate authority to care for me ... I'd rather trust my family and friends. Of course you need time to construct all this but if everyone was to switch to such a system we'd all be setuped pretty quickly.

                I'm not pushing for anything specific but just as Shneier talks about security as a process I rea

            • by jonadab (583620)
              > I didn't see anyone paying for namespace in p2p networks or on
              > I2P/FreeNet/etc., maybe we don't need to have parent domains

              Show me a peer-to-peer network that can provide each user (including users who don't have their own computer) with a globally-unique address to which anyone on the network can send a message, and it will be delivered to the right person. (In other words, email.) Show me a peer-to-peer network that's suitable for web-style publishing, wherein you make your content available an
        • by jonadab (583620)
          > The fact that you can't get a domain for 0$

          Do you mean $0? But you *can* get a domain for $0. I have two of them at the moment, and have had others in the past.

          You can't get a *top-level* domain for that, but you can't get a top-level domain at all, unless you meet the requirements, which are pretty steep. (The easiest way is to get yourself recognized as a sovereign nation and get a two-letter TLD. Longer ones are even harder to get.) This is a *good* thing, because DNS wouldn't really scale to e
          • by alexandre (53) *

            Well, 0$ for Quebec, $0 outside of it ;-)

            And if some services cannot be distributed (not that it would be impossible but I'm not arguing about a specific technical solution) than they must be governed globally in a democratic matter according to human rights and all... :)

    • This generation of the internet was initially dismissed as a toy by most companies and governments and the genie got out of the bottle. They won't make that mistake with the next generation.

      • by grcumb (781340) on Sunday May 09, 2010 @06:13PM (#32149664) Homepage Journal

        This generation of the internet was initially dismissed as a toy by most companies and governments and the genie got out of the bottle. They won't make that mistake with the next generation.

        I disagree with your diagnosis, but I agree wholeheartedly with your conclusion.

        Having worked on the Internet since the early 90s, and having benefited from the massive ignorance of how the Internet works that pervaded business past the end of the decade, I feel it's more like business was able to characterise the symptoms but didn't understand the nature of the disease.

        In the 90s, people talked a lot about Disruptive Technologies and (forgive me) Paradigm Shifts. They knew that early adopters reaped the greatest rewards, but beyond that they were more or less aimless.

        I think of it as the difference between cleverness and intelligence. The people who actually built the Internet had vision, but only learned how to be clever over time. Businesses working on the Internet got clever first, but even today they're just barely beginning to develop a vision about what they want it to be.

        Given that their vision resembles Iran- and China-style Internet more than anywhere else, I too find it a troubling one. I worry that some day I'll be the moral equivalent of an aged hippie, longing for the lost freedom of my youth....

  • by rtp (49744)

    It's a shame the market didn't go down the DNSCurve (http://dnscurve.org/) road before DNSSEC. DNSSEC as it is currently implemented presents a significant challenge for DNS admins as their job just got more complicated while the tools are still barely capable. BIND with DNSSEC enabled for signing zones and updating your upstream TLD isn't set-it-and-forget-it so I don't see widespread adoption until the implementations are solved with easy point-and-click, set-it-once solutions.

    Signing yourdomain.com req

    • Re: (Score:3, Insightful)

      by lukas84 (912874)

      DNSSEC is okay, it's just BIND that sucks. There are several DNS appliance vendors that have fully automated DNSSEC already working. For that matter, the Windows DNS server also sucks on the same level as does bind.

      PowerDNS will bring mostly-automated DNSSEC, but it's not done yet.

      • Re: (Score:1, Interesting)

        by rtp (49744)

        What products are submitting keys upstream on change?

        • Re: (Score:1, Informative)

          by Anonymous Coward

          DNSX Secure Signer by Xelerance Corporation. Disclaimer: I work for them. Google it.

      • dnssec-signzone -d /etc/namedb/keys -o foo.domain /etc/namedb/master/db.foo.domain

        It's clearly insanely difficult to sign your zone with BIND.

        It never ceases to amaze me that people expect BIND to do thing outside its scope. Use a configuration management tool to manage BIND. Don't expect every product to include its own bloated incompatible management crap with yet another admin console that I have to load.

        I use puppet to monitor changes to a centrally managed version controlled zone database that is aut

        • by marka63 (1237718)

          You do realise that you don't need to run dnssec-signzone anymore to sign a zone?

          All vendors DNSSEC tools are improving. Perhaps you should do some research before complaining? Remember DNSSEC really is still in the very early stages of deployment and usability will continue to increase.

          • I wasn't complaining. Parent was complaining. Automatic zone signing only work on dynamic zones in 9.6 AFAIK. Might be different in 9.7.
            • by marka63 (1237718)

              I wasn't complaining. Parent was complaining.

              Fair enough, though it wasn't clear.

              Automatic zone signing only work on dynamic zones in 9.6 AFAIK. Might be different in 9.7.

              How else to expect named to know it has change control on the zone? Remember all zones are dynamic. Just that there are different change mechanisms involved. Also just because it is dynamic that doesn't mean that anyone can change the contents. By using UPDATE named can update all the relevant records that are involved in a change. Yes, this is a change in how one does things but one that is for the better I believe.

              • Not if you're using version control
                • by marka63 (1237718)

                  You can still have version control and automatic re-signing. You just don't version control the master file that the name server uses. It's relatively
                  straight forward to make a tool that will take a unsigned master file and
                  generate a delta against the current signed zone contents and use that as the post commit action. The only thing that won't be consistent is the SOA serial.

        • I use puppet to monitor changes to a centrally managed version controlled zone database that is automatically deployed and signed any time it is changed. Bad changes are automatically detected and reverted to a known good state via the version control repository.

          Did you roll your own solution or used third party tools?

          I'm about to inherit responsibility for several unrelated DNS servers and I'm trying to find a way to centrally manage them.

    • by Burdell (228580) on Sunday May 09, 2010 @04:58PM (#32149270)

      Put down the djb Kool-Aid. DNSCurve and DNSSEC do not address the same thing. DNSCurve is essentially SSL for DNS, which requires some way to establish trust with each server you talk to. Since end-users typically only talk to their ISP's recursive servers, that's not too much work, but it only protects the path from the ISP's servers to the end-users (which ISPs can typically protect themselves). DNSCurve does nothing to authenticate the DNS data itself. DNSSEC, on the other hand, authenticates the data at the source. If you look up foo.bar.com, that record can be signed in the bar.com zone, which has trust anchors in .com, which has trust anchors in the root. It doesn't matter who serves the record to you; you can be sure that the data is valid.

      Some ISPs would prefer people to use DNSCurve and think DNS is secure, because it does nothing to protect the data. Those ISPs would still be able to change the results (e.g. all the NXDOMAIN web pages, URL redirects, etc. are still possible). That can't happen with DNSSEC and an authenticating resolver.

      DNSSEC is not set-it-and-forget-it because true security requires maintenance. It isn't just a response to cache poisoning attacks, it addresses the security of the whole system.

      • It's a sad state of affairs, but when you think about it, modern ISP's must be treated as a malicious and disruptive man in the middle attack when it comes to DNS. Not only do they constantly interfere in proper dns operation to run various scams, they do so blatantly and with no fear of recrimination. DNSSEC can't get here fast enough, I just hope ISPs don't start rewriting destination addresses to continue their abuse.

      • DNSCurve puts the public key in the DNS server name, so as long as you trust the roots, you could recursively resolve anything.

        If you do not trust your ISP, do not use its DNS caches.

    • by marka63 (1237718)

      Signing yourdomain.com requires you and .com to perform a transaction (registrar will perform on behalf of .com) that must recur at some interval for KSK and ZSK updates.

      Really? Splitting keys into KSK and ZSK keys was done so that you DON'T need need to contact the parent zone administrator to roll the keys that sign the zone content. You do need to contact the parent when you update the KSK's but that should be much less often than the ZSK's are changed.

    • by Ethanol (176321)

      DNSSEC and DNSCurve solve two different (though overlapping) problems. DNSSEC is about end-to-end authentication and validation: It strives to ensure that the data you received is the data the actual owner of a name server intended to send, unaltered by anyone along the way. DNSCurve is about ensuring a trustworthy connection between the authoritative name server and the resolver (and incidentally about encrypting queries, which is nice), but it doesn't do a thing to keep the resolver from lying to you.

  • Is it better for one to control all, all to control one, none to control all, or all to control none?

    As any solution, provide sustenance that grows value, not malice and malevolence. it is better not to consider control ever.

    PreDNS-IPv4, DNS, DNSSec... One for all must be all for one, because institutional/national evil lurks behind every wall for everyone.

    China, Clerics, C*Os, and some others seek global economic domination with in hall mazes behind stalinist/maoist walls.

    I suspect, where DNS splits occur,

  • I'm really not seeing much of a downside here. The greatest feature of public-key cryptography is its potential to undermine the state's ability to interfere with communications.

Kleeneness is next to Godelness.

Working...