DNS root servers and DNSSEC examined

A 17-page paper on DNSSEC and the DNS root servers, released Thursday by the Internet Governance Project, is well worth a read. Its main subject is a proposal for distributing the responsibility for signing the keys for the root servers, but it touches on many other interesting considerations:

• The possible boost that DNSSEC may give to well-established practices such as SSH tunneling and PGP-encrypted communications, making them even easier to use and more widespread.

• The importance assigned by the US Department of Defense and Department of Homeland Security and other agencies to DNSSEC adoption, suggesting that privacy and data integrity provide more security than easy surveillance does.

• Reasons that an over-regulated environment in the DNS market (the ICANN monopoly, which it shares with registries) could hold back improvements such as the security promised by DNSSEC.

There are lots of criticisms of DNSSEC, which seem borne out by its slow spread, and many DNS experts say that its goals could be achieved more simply (perhaps as simply as servers exchanging data using SSH, just as millions of us do every day when we tunnel into company servers from home). But the IGP takes DNSSEC quite seriously and wants to see it happen.

Bruce Schneier and others regularly tear the veil off of certificate authorities (the things your browser routinely puts in your face with pop-up dialogs with when you visit secure web sites, and which you probably ignore, with good reason). Ironically, DNS is the one area of the Internet where certificate authorities could work, because DNS is already a centralized, top-down system and therefore provides a ready-made environment for a similarly centralized system of validating certificates.

It should be noted at this point that the IGP displays a general distrust of regulation and government intervention, assuming that any government control over a technical institution will introduce unhealthy politics into what should be technical matters. This attitude, widespread among Internet activists, has dogged the UN and constituent bodies (the World Summit on the Information Society and the International Telecommunications Union) ever since they started showing interest in the Internet. The concerns are reasonable ones, but keep this in mind as you read the paper.

The source of the IGP proposal is a distaste for allowing a single institution be responsible for the security of DNS, particularly since such an institution would probably answer to the U.S. government. The IGP proposal involves distributing the responsibility for signing keys: different zones would be signed by different institutions, which the IGP insists should be non-governmental.

Distributing responsibility means distributing risk, too, of course. The IGP is aware that their proposal would mean more people with opportunities to corrupt DNS servers, and more people subject to error or the corruption of bad intentions. Still, the proposal seems feasible to me because not many institutions are needed to cover the major zones, which I assume are the top-level domains (TLDs) and country-code top-level domains (ccTLDs).

The proposal is reminiscent of central banks such as the U.S. Federal Reserve Bank. They're set up by governments but maintain a certain independence. DNS already has multiple institutions with distributed responsibility: five regional internet registries distribute IP addresses, and a number of registries maintain the databases for TLDs and ccTLDs. These institution have shown a feisty sense of independence, often throwing demands from governments and ICANN back in their faces. A few more such institutions couldn't hurt. But I can't judge whether they'd help, either.