North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: America takes over DNS

  • From: Peter Dambier
  • Date: Mon Apr 02 07:18:09 2007

The Racines Libres have failed?

There are so many out there that we cannot count them any longer.

I think the only failure is the "single point of failure root".

They have failed to be trustworthy.


It is so easy, get a copy of a trustworthy root-zone and run
your own root. From time to time compare your root to the
others and fix any diffs.

Better take the authoritative servers and fix your root-zone.

I have never seen a personal root-server attacked.
The single point of failure root gets attacked once per hour,
because every hour it is 8 o'clock in the morning on some place
and all those windows boxes get switched on.

Cheers
Peter and Karin Dambier


[email protected] wrote: 
The US Department of Homeland Security (DHS) ...
wants to have the key to sign the DNS root zone
solidly in the hands of the US government.
This ultimate master key would then allow
authorities to track DNS Security Extensions
(DNSSec) all the way back to the servers that
represent the name system's root zone on the
Internet. The "key-signing key" signs the zone
key, which is held by VeriSign.



Very interesting because it is the second story on the list this weekend
which highlights that DNS domain registries (and ultimately the root
zone) are a single point of failure on the Internet. Wouldn't the holder
of these keys be the only ones able to spoof DNSSEC? And if the criminal
community ever cracks DHS (through espionage or bribery) to acquire
these keys, what would be the result.

I just don't see how adding another single point of failure to the DNS
system, in the form of a master key, helps to strengthen the DNS
overall. It is probably time to start looking at alternative naming
systems. For instance, we have a much better understanding of P2P
technology these days and a P2P mesh could serve as the top level finder
in a naming system rather than having a fixed set of roots. We have a
better understanding of webs of trust that we could apply to such a
mesh. 

Given that the existing DNS is built around two disctinct classes of IP
address, i.e. stable ones that always lead to a root nameserver, and
unstable ones which lead to other Internet hosts, could we not design a
more flexible naming system around that concept? Could we not have more
than 13 stable IP addresses in the net? Could we not leverage something
like route servers in order to find the root of a local naming
hierarchy?

Now that well-educated and technically sophisticated criminal groups are
attacking the DNS on multiple fronts, we need to be looking at
alternatives to DNS for naming hosts. We need to get such alternative
systems out into the wild where they can be tested. To date, we have
seen some small amount of innovative thinking around DNS that has been
tested. For instance, alternative roots which have failed in the wild
and anycasting which has been a great success. But these things do not
address the core technical problems of the whole DNS system.

--Michael Dillon 


--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: [email protected]
mail: [email protected]
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/