Re: America takes over DNS

• From: J. Oquendo
• Date: Mon Apr 02 07:43:13 2007

Very interesting because it is the second story on the list this weekend
which highlights that DNS domain registries (and ultimately the root
zone) are a single point of failure on the Internet. Wouldn't the holder
of these keys be the only ones able to spoof DNSSEC? And if the criminal
community ever cracks DHS (through espionage or bribery) to acquire
these keys, what would be the result.

A single bodied government which holds the keys to this is quite possibly
a bigger problem than what we currently have. Way too much censorship if
you ask me. Not to get super political here, but there is far too much
going as it is concerning what can be said, shown, viewed by too many
organizations in power as is.

Given that the existing DNS is built around two disctinct classes of IP
address, i.e. stable ones that always lead to a root nameserver, and
unstable ones which lead to other Internet hosts, could we not design a
more flexible naming system around that concept? Could we not have more
than 13 stable IP addresses in the net? Could we not leverage something
like route servers in order to find the root of a local naming
hierarchy?

Problems I can see with this would be when someone on the P2P begins
injecting false data into a stream. How would the mesh be structured so
as to avoid this. Perhaps using the same methods as ICANN, or NANOG, a
group of say 50 companies can be designated the task of maintaining
root servers on a revolving basis. The server could be configured in
secure fashion (whatever this means nowadays) with maybe checksums
and pass off the information to one another. E.g.:

Verified Lookup
User --> whois something.com --> nameserver1
nameserver1 --> I see something.com at 11.11.11.11 --> nameserver2
nameserver1 --> where do you see it nameserver2
nameserver2 --> I see it at 11.11.11.11 --> nameserver1
nameserver1 --> something.com is at 11.11.11.11 --> User

Problematic Lookup
User --> whois something.com --> nameserver1
nameserver1 --> I see something.com at 11.11.11.11 --> nameserver2
nameserver1 --> where do you see it nameserver2
nameserver2 --> I see it at 22.11.11.11 --> nameserver1
nameserver2 --> where DO YOU SEE something.com --> nameserver3
nameserver3 --> something.com is at 11.11.11.11 --> nameserver1
nameserver1 --> After double checking go to 11.11.11.11 --> user

Creating entries:
nameserver1:
something.com is at 11.11.11.11 let's create a hash

# sample hashing using md5 and sha
$ echo "something.com 11.11.11.11"|shasum
8cb7294f15be3f5b95d24f0e9bf77a57d95345fb
$ echo "something.com 11.11.11.11"|md5
c48af0b24a9014ccdce8b1233ffbb052

Both combined:
8cb7294f15be3f5b95d24f0e9bf77a57d95345fbc48af0b24a9014ccdce8b1233ffbb052

Any nameserver can now compare that kind of hash before it sends
out replies. If the hash matches, it's legit, if not, obviously
there's a problem. What I can see happening with something like
this would be DNS administrators having to recalculate hashes
whenever they renumber one of their machines.

Something like this would also deter "criminal gangs" from
fiddling with DNS since it would likely be too difficult to
counter. Hijackings could possibly cease, as well as the
possibility of reducing malware if done correctly.

My guess is load balancing, round robin DNS, etc., could affect
this, but I'm sure other engineers here can figure out something
better than allowing any government from intervening and trying
to maintain what's perhaps one of the most fragile functions on
the Internet. Maybe even multiple checksums for sites doing
above-mentioned (load balancing, etc.)

The happiness of society is the end of government.
John Adams

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

• Follow-Ups:
  • RE: America takes over DNS michael.dillon

• References:
  • RE: America takes over DNS michael.dillon

• Prev by Date: RE: America takes over DNS
• Next by Date: Re: America takes over DNS
• Date Index
• Thread Index
• Author Index
• Historical