DNSSEC and the Geopolitical Future of the Internet 70
synsynackack writes "The Register reports that the DNSSEC protocol could have some very interesting geopolitical implications, including erosion of the scope of state sovereign powers. The chairman of ICANN, Peter Dengate-Thrush, explained, 'We will have to handle the geo-political element of DNSSEC very carefully.' Experts also explained that split DNS and the DNSSEC protocol don't match very well; technically, it is possible for someone at the interface of the global Internet and a country-wide Internet to strip electronic certificates attached to data and repackage the data with a new one."
Clearly what they need to do is just get ride TLDs (Score:1, Interesting)
Re:Clearly what they need to do is just get ride T (Score:1, Informative)
The TLDs serve a very important purpose: They're administrative boundaries. If the policies of one TLD don't suit you, choose a different one for your domains. The DNS root should therefore only have very limited say in how TLD registries do their job and indeed the TLDs are implemented very differently.
Re: (Score:1, Informative)
Then there'd be only one registry and one set of rules - the rules of the root registry. The separate registries are what keeps some level of competition alive. The root registry only gets to set basic interoperability rules, but the economics and technical implementations are the TLD registries' business.
Re: (Score:3, Insightful)
I disagree. Generic TLDs may be useless, but ccTLDs are useful for use in the rest of the world. I, for example, know when I'm buying something from a web shop with a .PT domain that the owner of that domain is a real company registered in Portugal, so it's easier to get my money back if something goes wrong.
Godwined (Score:1)
Re: (Score:2)
I suppose that situation exists everywhere. The
On another note, if you wouldn't mind emailing me about some of those web shops in portugal, I would sure appreciate it. I have found it hard to locate shops in Portugal that will sell online.
Re: (Score:2)
But I'll trust those less. I don't want to force them to register a .PT; but if I have two shops with similar prices for the same products, I'll choose the one with the .PT domain.
Well, shops that sell what? For, e.g., PC co
Re: (Score:2)
Re: (Score:2, Interesting)
Clarify something for me... (Score:5, Insightful)
Jim Galvin of Afilias, an expert in DNSSEC, warned that a “split DNS” – where a country effectively sets up its own Internet within its borders and controls access to the global Internet - and the DNSSEC protocol “do not match very well”.
Isn't that a good thing?
Re: (Score:2)
Re: (Score:2)
From TFA:
Jim Galvin of Afilias, an expert in DNSSEC, warned that a “split DNS” – where a country effectively sets up its own Internet within its borders and controls access to the global Internet - and the DNSSEC protocol “do not match very well”.
Isn't that a good thing?
Depends who you are. If you are running the global Internet, it's good. If you're running a local or national Internet, it's bad. Pretty much all technology is that way: potentially good for some, bad for others.
Re: (Score:3, Insightful)
If you're running a censored local or national Internet that depends on injecting falsified DNS responses, it's bad.
Fixed that typo for you. Note that it has little to no interaction with IP-level blocking or "semitransparent" web proxies, don't worry, China can still oppress their subjects.
Re: (Score:2)
Not when a judge in East Texas starts blocking sites in other countries because he feels like it.
Re: (Score:2)
the net seems less unstoppable when one consider the "border" routers...
Re: (Score:2)
Speaking as a U.S. national, I'll gladly take my chances in Marshall. At least with the Texan, there's Due Process and Separation of Church and State and the First Amendment and a ton of case law that supports a (generally) liberal democratic system. It isn't perfect, but it's a hell of a lot better than having the religious police or totalitarian oligarchs make civil rights judgments.
distributed solutions please? (Score:5, Insightful)
Another attempt to solve things in a hierarchical way that should have been rather fixed with p2p web of trusts so country and trust their own servers with a great degree than outside ones...
But no, centralized control is much more fun in the eyes of politician who care more about guaranteeing their retirement than freedom for everybody.
Hierarchy Matches The Reality Here (Score:2)
In this case, because the DNS is hierarchical, a hierarchical signature system is the right way to authenticate the names. You hand the registrar for ".com" your $6.00 and a public key, the registrar gives you a signed certificate saying you're the Official Owner of "example.com". That doesn't protect you from trademark suits by other people who say *they* should own the name "example.com", or from somebody handing the registry forged papers saying that they're the domain administrator for your company, a
Re:distributed solutions please? (Score:5, Funny)
Re: (Score:3, Funny)
I sold it to him. It was getting too many connection attempts.
Re: (Score:3, Insightful)
Another attempt to solve things in a hierarchical way that should have been rather fixed with p2p web of trusts
False dilemma. You can do both at the same time. BGP IP routing on the net overall is vaguely hierarchical in regards to whom pays for transit and whom peers for free, but is vaguely p2p web of trust in that the DFZ pretty much trust each other to share good routes, or at least folks trust each other at carrier hotels. Some carriers trust some of their customers so much they're practically peering, in that they don't filter their "customers" advertisements, some not so trusting. Whats more P2P than an I
No, in this case hierarchical is correct (Score:5, Insightful)
DNS names are hierarchical. Each TLD is granted authority to manage its subsequent names as it sees fit and so on. Any attempt to secure this system should mirror the authority of the names themselves. Each country can control the distribution and authentication of names within their own TLD and DNSSEC just provides the appropriate level of cooperation for any client to read and validate those signatures.
Decoupling the hierarchical nature of DNS from a separate authentication mechanism that didn't follow this grain would be needlessly complex and could result in ambiguous or inconsistent results.
Re: (Score:3, Insightful)
The fact that you can't get a domain for 0$ implies that this is hierarchical and not free in any sense of the word which worries me and implies struggle about who controls the distribution... I'm no expert on BGB / DNS though.
And yes, p2p usually implies a less than 100% reliability and you might get conflict of namespace or some such problem, but it usually gives users a fairer share in the network and makes the user a citizen instead of a consumer.
Though, this might not be so much of a "p2p vs hierarchic
Re: (Score:1)
The fact that you can't get a domain for 0$ implies that this is hierarchical and not free in any sense of the word which worries me and implies struggle about who controls the distribution... I'm no expert on BGB / DNS though.
Firstly, you can get domains for $0. I have one. I also have ones I pay for.
Secondly, there are real ongoing costs to be covered and the small costs associated with most parent domains are reasonable or do you expect to everyone to give you a free lunch?
Re: (Score:3, Interesting)
I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?
And you do realize that domains like .biz, .info, .jobs, and all those new weird domain were only created because they knew every company wouldn't risk not registering their name everywhere they could and that would give them a huge revenue source? Centralized political corruption indeed...
And I'm paying already to get connected, everything should be "intelligence at the border", I'm p
Re: (Score:1)
I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?
While cryptographic hash will identify things they leave a lot in terms of usability. <whatever>@<short>.freenet does not scale.
And you do realize that domains like .biz, .info, .jobs, and all those new weird domain were only created because they knew every company wouldn't risk not registering their name everywhere they could and that would give them a huge revenue source? Centralized political corruption indeed...
I once said to Jon, over lunch, we should get rid of GTLD's. There are very few GLTD's that are useful. That said GTLDs != DNS.
Re: (Score:2)
"I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?"
What is really nice about the internet, you don't need domainnames to connect, you can connect with anyone from anywhere, usually, domainnames just make it easier to remember. And most systems which are connected to the internet have something which helps to keep an index. For example many people use something like Google to find websites. If your information is relevant to them, you
Re: (Score:2)
Indeed, we can always use just IPs but that's loosing a lot of functionality. And google is definitely a worst alternative than the actual DNS system which is at least a bit decentralized :-)
Re: (Score:2)
I didn't see anyone paying for namespace in p2p networks or on I2P/FreeNet/etc., maybe we don't need to have parent domains?
You also know jack shit about the trustability of the information on those systems. Sturgeon's Law applies. If you do something about that (e.g., through a reputation service) then you're setting something up as an authority.
Re: (Score:2)
Yes, and that's exactly the point, when using a web of trust multiple people, you choose yourself, become your authority and you can switch them when you feel cheated.
Right now i have to trust big banks or certificate authority to care for me ... I'd rather trust my family and friends. Of course you need time to construct all this but if everyone was to switch to such a system we'd all be setuped pretty quickly.
I'm not pushing for anything specific but just as Shneier talks about security as a process I rea
Re: (Score:1)
> I2P/FreeNet/etc., maybe we don't need to have parent domains
Show me a peer-to-peer network that can provide each user (including users who don't have their own computer) with a globally-unique address to which anyone on the network can send a message, and it will be delivered to the right person. (In other words, email.) Show me a peer-to-peer network that's suitable for web-style publishing, wherein you make your content available an
Re: (Score:1)
Do you mean $0? But you *can* get a domain for $0. I have two of them at the moment, and have had others in the past.
You can't get a *top-level* domain for that, but you can't get a top-level domain at all, unless you meet the requirements, which are pretty steep. (The easiest way is to get yourself recognized as a sovereign nation and get a two-letter TLD. Longer ones are even harder to get.) This is a *good* thing, because DNS wouldn't really scale to e
Re: (Score:2)
Well, 0$ for Quebec, $0 outside of it ;-)
And if some services cannot be distributed (not that it would be impossible but I'm not arguing about a specific technical solution) than they must be governed globally in a democratic matter according to human rights and all... :)
Re: (Score:2)
This generation of the internet was initially dismissed as a toy by most companies and governments and the genie got out of the bottle. They won't make that mistake with the next generation.
Re:distributed solutions please? (Score:4, Interesting)
This generation of the internet was initially dismissed as a toy by most companies and governments and the genie got out of the bottle. They won't make that mistake with the next generation.
I disagree with your diagnosis, but I agree wholeheartedly with your conclusion.
Having worked on the Internet since the early 90s, and having benefited from the massive ignorance of how the Internet works that pervaded business past the end of the decade, I feel it's more like business was able to characterise the symptoms but didn't understand the nature of the disease.
In the 90s, people talked a lot about Disruptive Technologies and (forgive me) Paradigm Shifts. They knew that early adopters reaped the greatest rewards, but beyond that they were more or less aimless.
I think of it as the difference between cleverness and intelligence. The people who actually built the Internet had vision, but only learned how to be clever over time. Businesses working on the Internet got clever first, but even today they're just barely beginning to develop a vision about what they want it to be.
Given that their vision resembles Iran- and China-style Internet more than anywhere else, I too find it a troubling one. I worry that some day I'll be the moral equivalent of an aged hippie, longing for the lost freedom of my youth....
DNSSEC is an arduous solution (Score:2, Interesting)
It's a shame the market didn't go down the DNSCurve (http://dnscurve.org/) road before DNSSEC. DNSSEC as it is currently implemented presents a significant challenge for DNS admins as their job just got more complicated while the tools are still barely capable. BIND with DNSSEC enabled for signing zones and updating your upstream TLD isn't set-it-and-forget-it so I don't see widespread adoption until the implementations are solved with easy point-and-click, set-it-once solutions.
Signing yourdomain.com req
Re: (Score:3, Insightful)
DNSSEC is okay, it's just BIND that sucks. There are several DNS appliance vendors that have fully automated DNSSEC already working. For that matter, the Windows DNS server also sucks on the same level as does bind.
PowerDNS will bring mostly-automated DNSSEC, but it's not done yet.
Re: (Score:1, Interesting)
What products are submitting keys upstream on change?
Re: (Score:1, Informative)
DNSX Secure Signer by Xelerance Corporation. Disclaimer: I work for them. Google it.
Re: (Score:1)
It's clearly insanely difficult to sign your zone with BIND.
It never ceases to amaze me that people expect BIND to do thing outside its scope. Use a configuration management tool to manage BIND. Don't expect every product to include its own bloated incompatible management crap with yet another admin console that I have to load.
I use puppet to monitor changes to a centrally managed version controlled zone database that is aut
Re: (Score:1)
You do realise that you don't need to run dnssec-signzone anymore to sign a zone?
All vendors DNSSEC tools are improving. Perhaps you should do some research before complaining? Remember DNSSEC really is still in the very early stages of deployment and usability will continue to increase.
Re: (Score:1)
Re: (Score:1)
I wasn't complaining. Parent was complaining.
Fair enough, though it wasn't clear.
Automatic zone signing only work on dynamic zones in 9.6 AFAIK. Might be different in 9.7.
How else to expect named to know it has change control on the zone? Remember all zones are dynamic. Just that there are different change mechanisms involved. Also just because it is dynamic that doesn't mean that anyone can change the contents. By using UPDATE named can update all the relevant records that are involved in a change. Yes, this is a change in how one does things but one that is for the better I believe.
Re: (Score:1)
Re: (Score:1)
You can still have version control and automatic re-signing. You just don't version control the master file that the name server uses. It's relatively
straight forward to make a tool that will take a unsigned master file and
generate a delta against the current signed zone contents and use that as the post commit action. The only thing that won't be consistent is the SOA serial.
Re: (Score:2)
Did you roll your own solution or used third party tools?
I'm about to inherit responsibility for several unrelated DNS servers and I'm trying to find a way to centrally manage them.
Re: (Score:1)
Re:DNSSEC is an arduous solution (Score:5, Interesting)
Put down the djb Kool-Aid. DNSCurve and DNSSEC do not address the same thing. DNSCurve is essentially SSL for DNS, which requires some way to establish trust with each server you talk to. Since end-users typically only talk to their ISP's recursive servers, that's not too much work, but it only protects the path from the ISP's servers to the end-users (which ISPs can typically protect themselves). DNSCurve does nothing to authenticate the DNS data itself. DNSSEC, on the other hand, authenticates the data at the source. If you look up foo.bar.com, that record can be signed in the bar.com zone, which has trust anchors in .com, which has trust anchors in the root. It doesn't matter who serves the record to you; you can be sure that the data is valid.
Some ISPs would prefer people to use DNSCurve and think DNS is secure, because it does nothing to protect the data. Those ISPs would still be able to change the results (e.g. all the NXDOMAIN web pages, URL redirects, etc. are still possible). That can't happen with DNSSEC and an authenticating resolver.
DNSSEC is not set-it-and-forget-it because true security requires maintenance. It isn't just a response to cache poisoning attacks, it addresses the security of the whole system.
Re:DNSSEC is an arduous solution (Score:5, Insightful)
It's a sad state of affairs, but when you think about it, modern ISP's must be treated as a malicious and disruptive man in the middle attack when it comes to DNS. Not only do they constantly interfere in proper dns operation to run various scams, they do so blatantly and with no fear of recrimination. DNSSEC can't get here fast enough, I just hope ISPs don't start rewriting destination addresses to continue their abuse.
Re: (Score:2)
DNSCurve puts the public key in the DNS server name, so as long as you trust the roots, you could recursively resolve anything.
If you do not trust your ISP, do not use its DNS caches.
Re: (Score:1)
Signing yourdomain.com requires you and .com to perform a transaction (registrar will perform on behalf of .com) that must recur at some interval for KSK and ZSK updates.
Really? Splitting keys into KSK and ZSK keys was done so that you DON'T need need to contact the parent zone administrator to roll the keys that sign the zone content. You do need to contact the parent when you update the KSK's but that should be much less often than the ZSK's are changed.
Re: (Score:2)
DNSSEC and DNSCurve solve two different (though overlapping) problems. DNSSEC is about end-to-end authentication and validation: It strives to ensure that the data you received is the data the actual owner of a name server intended to send, unaltered by anyone along the way. DNSCurve is about ensuring a trustworthy connection between the authoritative name server and the resolver (and incidentally about encrypting queries, which is nice), but it doesn't do a thing to keep the resolver from lying to you.
One For All and All For One is best for US, EU... (Score:2)
Is it better for one to control all, all to control one, none to control all, or all to control none?
As any solution, provide sustenance that grows value, not malice and malevolence. it is better not to consider control ever.
PreDNS-IPv4, DNS, DNSSec... One for all must be all for one, because institutional/national evil lurks behind every wall for everyone.
China, Clerics, C*Os, and some others seek global economic domination with in hall mazes behind stalinist/maoist walls.
I suspect, where DNS splits occur,
And this is a problem ... why? (Score:3, Insightful)
I'm really not seeing much of a downside here. The greatest feature of public-key cryptography is its potential to undermine the state's ability to interfere with communications.
Re: (Score:1, Interesting)
Every domain has it's own key, and you find a trusted or semi trusted way to get the keys you really care about.
If something is signed with a key you don't trust there is no need to trust that key.
Even simply doing what ssh does and caching the keys of places you have been should be enough to thwart attacks from all but the most industrious.