DNS root servers and DNSSEC examined


17-page paper on DNSSEC and the DNS root servers
released Thursday by the
Internet Governance Project,
is well worth a read. Its main subject is a proposal for distributing
the responsibility for signing the keys for the root servers, but it
touches on many other interesting considerations:

  • The possible boost that DNSSEC may give to well-established practices
    such as SSH tunneling and PGP-encrypted communications, making them
    even easier to use and more widespread.

  • The importance assigned by the US Department of Defense and Department of
    Homeland Security and other agencies to DNSSEC adoption, suggesting
    that privacy and data integrity provide more security than easy
    surveillance does.

  • Reasons that an over-regulated environment in the DNS market (the
    ICANN monopoly, which it shares with registries) could hold back
    improvements such as the security promised by DNSSEC.

There are lots of criticisms of DNSSEC, which seem borne out by its
slow spread, and many DNS experts say that its goals could be achieved
more simply (perhaps as simply as servers exchanging data using SSH,
just as millions of us do every day when we tunnel into company
servers from home). But the IGP takes DNSSEC quite seriously and wants
to see it happen.

Bruce Schneier and others regularly tear the veil off of certificate
authorities (the things your browser routinely puts in your face with
pop-up dialogs with when you visit secure web sites, and which you
probably ignore, with good reason). Ironically, DNS is the one area of
the Internet where certificate authorities could work, because DNS
is already a centralized, top-down system and therefore provides a
ready-made environment for a similarly centralized system of
validating certificates.

It should be noted at this point that the IGP displays a general
distrust of regulation and government intervention, assuming that any
government control over a technical institution will introduce
unhealthy politics into what should be technical matters. This
attitude, widespread among Internet activists, has dogged the UN and
constituent bodies (the World Summit on the Information Society and
the International Telecommunications Union) ever since they started
showing interest in the Internet. The concerns are reasonable ones,
but keep this in mind as you read the paper.

The source of the IGP proposal is a distaste for allowing a single
institution be responsible for the security of DNS, particularly since
such an institution would probably answer to the U.S. government. The
IGP proposal involves distributing the responsibility for signing
keys: different zones would be signed by different institutions, which
the IGP insists should be non-governmental.

Distributing responsibility means distributing risk, too, of course.
The IGP is aware that their proposal would mean more people with
opportunities to corrupt DNS servers, and more people subject to error
or the corruption of bad intentions. Still, the proposal seems
feasible to me because not many institutions are needed to cover the
major zones, which I assume are the top-level domains (TLDs) and
country-code top-level domains (ccTLDs).

The proposal is reminiscent of central banks such as the U.S. Federal
Reserve Bank. They’re set up by governments but maintain a certain
independence. DNS already has multiple institutions with distributed
responsibility: five regional internet registries distribute IP
addresses, and a number of registries maintain the databases for TLDs
and ccTLDs. These institution have shown a feisty sense of
independence, often throwing demands from governments and ICANN back
in their faces. A few more such institutions couldn’t hurt. But I
can’t judge whether they’d help, either.