North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: America takes over DNS

  • From: michael.dillon
  • Date: Mon Apr 02 04:26:39 2007

> The US Department of Homeland Security (DHS) ...
> wants to have the key to sign the DNS root zone
> solidly in the hands of the US government.
> This ultimate master key would then allow
> authorities to track DNS Security Extensions
> (DNSSec) all the way back to the servers that
> represent the name system's root zone on the
> Internet. The "key-signing key" signs the zone
> key, which is held by VeriSign.

Very interesting because it is the second story on the list this weekend
which highlights that DNS domain registries (and ultimately the root
zone) are a single point of failure on the Internet. Wouldn't the holder
of these keys be the only ones able to spoof DNSSEC? And if the criminal
community ever cracks DHS (through espionage or bribery) to acquire
these keys, what would be the result.

I just don't see how adding another single point of failure to the DNS
system, in the form of a master key, helps to strengthen the DNS
overall. It is probably time to start looking at alternative naming
systems. For instance, we have a much better understanding of P2P
technology these days and a P2P mesh could serve as the top level finder
in a naming system rather than having a fixed set of roots. We have a
better understanding of webs of trust that we could apply to such a
mesh. 

Given that the existing DNS is built around two disctinct classes of IP
address, i.e. stable ones that always lead to a root nameserver, and
unstable ones which lead to other Internet hosts, could we not design a
more flexible naming system around that concept? Could we not have more
than 13 stable IP addresses in the net? Could we not leverage something
like route servers in order to find the root of a local naming
hierarchy?

Now that well-educated and technically sophisticated criminal groups are
attacking the DNS on multiple fronts, we need to be looking at
alternatives to DNS for naming hosts. We need to get such alternative
systems out into the wild where they can be tested. To date, we have
seen some small amount of innovative thinking around DNS that has been
tested. For instance, alternative roots which have failed in the wild
and anycasting which has been a great success. But these things do not
address the core technical problems of the whole DNS system.

--Michael Dillon