Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DHS Wants Master Key for DNS

Zonk posted about 7 years ago | from the they-own-all-the-locks-and-doors dept.

Privacy 266

An anonymous reader writes "At an ICANN meeting in Lisbon, the US Department of Homeland Security made it clear that it has requested the master key for the DNS root zone. The key will play an important role in the new DNSSec security extension, because it will make spoofing IP-addresses impossible. By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort. There's a further complication, of course, because even 'if the IANA retains the key ... the US government still reserves the right to oversee ICANN/IANA. If the keys are then handed over to ICANN/IANA, there would be even less of an incentive [for the U.S.] to give up this role as a monitor. As a result, the DHS's demands will probably only heat up the debate about US dominance of the control of Internet resources.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


DNSSec (5, Informative)

tronicum (617382) | about 7 years ago | (#18556833)

...it will make spoofing IP-addresses impossible...

No. It secures DNS. So you cant spoof domain names. It secures that the DNS Server is authorative so the DNS query was answered right. If somebody spoofes an IP in your network, you won't be saved.

Re:DNSSec (-1, Troll)

Anonymous Coward | about 7 years ago | (#18556917)

It's the JEWS, stupid...
The JEWS want control of the internet because they have to censor the TRUTH about them, they have to stop their 'cattle' (goyim) from speaking out against them...


http://www.dailymail.co.uk/pages/live/articles/new s/news.html?in_article_id=445754&in_page_id=1770 [dailymail.co.uk]

Still, they will just use the 'get out of jail free' Holycause card to push this through even more... After all, the 'cattle' are no longer for the Jews' bullshit media, which they almost exclusively control, and people are starting to question them more and more...

No war for Israel!

Re:DNSSec (-1, Flamebait)

Anonymous Coward | about 7 years ago | (#18556975)

Exactly and I'm happy ICANN is overseen by the US Government. Not estatic, just happier than I would be if China, Iran or the EU were involved. As for the UN, they aren't even fit to manage DNS on a local network.

Re:DNSSec (5, Insightful)

jovetoo (629494) | about 7 years ago | (#18557049)

I hope you can understand that no-one else in the world shares even your minimal believe in the US government?

Re:DNSSec (4, Insightful)

khallow (566160) | about 7 years ago | (#18557087)

I gather that information doesn't matter to the OP either. Personally, if some country were to control such information, I'd rather it were someone with a long history of strict neutrality like Switzerland.

Re:DNSSec (2, Informative)

Score Whore (32328) | about 7 years ago | (#18557191)

Switzerland isn't neutral. They are firmly on their side. You can tell by the way they looted jewish deposits during world war ii.

Re:DNSSec (3, Insightful)

Almost-Retired (637760) | about 7 years ago | (#18557357)

I hope you can understand that no-one else in the world shares even your minimal belief in the US government?

I fixed your spelling but that's minor. I'm a US citizen, but what in the world ever gave you the idea that we the US people actually believe those jerks inside the beltway? I don't trust any of them. I just hope we can survive as a country till Noon Jan 20, 2009. Regardless of who wins the not too well concealed game of musical chairs, we at least will be rid of one 'born again Christian' and can begin to try to heal the pain and suffering of the legacy he leaves behind. They all say 'Trust me' but they want the keys to the lockbox none-the-less. The modern day version of Jim & Tami Bakker, praise the lord, but send me the money.

Cheers, Gene
"There are four boxes to be used in defense of liberty:
  soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Q: How do you keep a moron in suspense?

Re:DNSSec (1)

Savantissimo (893682) | about 7 years ago | (#18557685)

I hope you can understand that no-one else in the world shares even your minimal believe in the US government?

That's an undersrtatement. For me, this ploy just means I can add "router-rooting" to my existing list of: "retard-raping rump-humping rabid-rover-rogering right-wing runt-reamers", but perhaps even highly-hyphenated alliteritive invective can be excessive? That's one perspective, but the objective will reject it.

Re:DNSSec (3, Insightful)

StartCom (1018308) | about 7 years ago | (#18557103)

However it shouldn't belong to anyone, but be free! Having the keys in the hands of any government is dangerous!

Re:DNSSec (4, Insightful)

krbvroc1 (725200) | about 7 years ago | (#18557495)

What are you talking about? How can giving a secret key to a third-party 'secure DNS'. If I am the only one who has a key to my house and I make an additional copy and give it to a third-party, my house is now less secure. Why are you and the article spinning this as a some greater level of security. Your correction about IP vs DNS spoofing is correct.

First they came for the DNS... (0)

Anonymous Coward | about 7 years ago | (#18556841)

... and then they came for you!

Incentive for alternative roots (4, Insightful)

grasshoppa (657393) | about 7 years ago | (#18556883)

This should ( rightly so ) piss off external entities ( ie: foriegn nations ) enough to have them setup alternative roots. And I, for one, will be using those as apposed to the "secure" ones.

Granted, I won't be fully trusting the information from either set, so it's not as if my system security is dependant on it.

Actually (-1, Troll)

Anonymous Coward | about 7 years ago | (#18556955)

Me and most of my friends hate David Hasslehoff. You could say Americans love Hasslehoff since you like watching his naked body on Baywatch so much (American TV show, no?)

Re:Actually (1)

grasshoppa (657393) | about 7 years ago | (#18557437)

Me and most of my friends hate David Hasslehoff. You could say Americans love Hasslehoff since you like watching his naked body on Baywatch so much (American TV show, no?)

This is actually from an SNL skit from years ago. It always made me crack up, and I have yet to figure out why exactly. I've since been meaning to change it to reflect something significant or deep, but have yet to come up with anything beyond random political BS of one sort or another.

Re:Incentive for alternative roots (1)

Howitzer86 (964585) | about 7 years ago | (#18556997)

I think China was setting up another root. You'll be no more secure using it though... and perhaps less so. And that's assuming you could even use it from outside the country.

Re:Incentive for alternative roots (5, Insightful)

Seumas (6865) | about 7 years ago | (#18557081)

I still have yet to understand what fear they have of internet terrorism. When was the last time terrorists killed someone over the internet?! This sounds more like the supposedly disbanded TIA working under the guise of DHS.

By the way, how scary is it that DHS used to be the commonly used acronym associated with "Department of Human Services". And now this...

Good to know that DHS can put its hands in ANYTHING regardless of nature as long as they claim it has some association in some minor (or even non-existent but hypothetical) way.

Re:Incentive for alternative roots (3, Insightful)

mikeisme77 (938209) | about 7 years ago | (#18557307)

It isn't about prevent terrorism related deaths, but economic terrorism.

Re:Incentive for alternative roots (1)

j35ter (895427) | about 7 years ago | (#18557593)

...Like starting a war for oil, or supporting bloodthirsty dictators in the 3rd world?

Re:Incentive for alternative roots (4, Insightful)

illegalcortex (1007791) | about 7 years ago | (#18557601)

"Economic terrorism" is a buzzword. It's part of the "stick terrorism on the end to make people listen to your ranting" movement. I've even heard "judicial terrorism" and "legistlative terrorism" before.

The term "terrorism" means premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience.
https://www.cia.gov/terrorism/faqs.html [cia.gov]

Re:Incentive for alternative roots (5, Insightful)

ady1 (873490) | about 7 years ago | (#18557869)

It isn't about terrorism at all. It is about control and about policing the rest of the world.

I hope they do that and piss off rest of the world so that they form an independent organization for such matters.

Incentive for alternative blond roots (0)

Anonymous Coward | about 7 years ago | (#18557153)

"Granted, I won't be fully trusting the information from either set, so it's not as if my system security is dependant on it."

P2P DNS. You can trust us. Right?

Re:Incentive for alternative roots (1, Insightful)

Kristoph (242780) | about 7 years ago | (#18557173)

If, as a foreign power, your security could be defeated by IP spoofing then, honestly, your security issues are not going to be solved by managing your own root. In fact, if your so inept, then you probably should leave DNS security in the hands of the US government because because, frankly, that DNS root of yours is going to be hacked by script kiddies and spammers in no time flat and trash your whole infrastructure impacting your economy. Honestly, having the US government spy on you is probably preferable, and their going to do it anyway, root or no root.


Re:Incentive for alternative roots (2, Insightful)

ookabooka (731013) | about 7 years ago | (#18557401)

. . . and their going to do it anyway, root or no root.

Well if that's the case then I guess theres no point in doing anything about it.

Re:Incentive for alternative roots (4, Interesting)

snowgirl (978879) | about 7 years ago | (#18557599)

Ah... the joys of the americo-centric viewpoint. Forget your own sovereigncy, it's probably too much for you to deal with anyways. Just let the US do it all for you.

God, it sounds like the exact same ideas that the USSR had running puppet governments in the other Soviet States.

Re:Incentive for alternative roots (0)

Anonymous Coward | about 7 years ago | (#18557177)

As you suggest, if the US continues to demand control over the DNS root servers it will lead to the fragmentation of the system. Other countries' tolerance of the status quo should not be taken for granted. Significant public money is being spent around the planet on network infrastructure, allowing any gov't to control such a central component of the system is providing them with a very big stick to beat you with.

If the US pushes on this they will lose, the DNS system will fragment, they will have gained nothing for their efforts, and we will all be worse off as a result.

This could get complicated (3, Interesting)

davidwr (791652) | about 7 years ago | (#18557271)

Imagine if there were 2 or more sets of "root" servers which were by and large identical. One under the thumb of the USA and one run by the international community, and maybe one set run by each repressive regime on the planet, e.g. China. All would get authoritative data from domain registrars just like the current root. All would be open to "controlled poisoning" by those who held the keys.

Now, imagine if ISPs or countries worldwide could choose which set of root servers to use. Imagine if ISPs and governments in freer countries could allow their customers to choose their own root if they so desired.

Now imagine a world where ISPs and customers in totally free countries compare results from all available sets of root servers, look for inconsistencies, and if there is an inconsistency, check with the authoritative nameserver for the domain as reported by whois. If the DNS lookup for the whois server was not consistent then it will be handled as an exceptional case: The end-user will get a result that might or might not be correct and technicians will be alerted so they can figure out what the real IP addresses of the whois server are.

Re:Incentive for alternative roots (1)

daniel23 (605413) | about 7 years ago | (#18557333)

true, and it has. Take a look at ORSN [orsn.net], when this news was discussed on heise.de (an influential IT-news service in Germany) many posters linked to that European Open Root Server Network.

(re: your signature: as a German I should love him, but who is Hasslehoff?)

Alternative Keys, not Alternative Roots (2, Insightful)

billstewart (78916) | about 7 years ago | (#18557635)

What we need here is alternative keys to verify the signatures on TLDs like .com, .net, .uk, .de, .iq etc. You can do that without setting up an alternative root system. Of course, while the DHS is demanding the keys for the root from ICANN publicly, you *know* they'll be privately demanding the keys for .com from Verisign or whoever it is these days, and trusting .com not to be forged is really a much bigger issue than whether the US politicians may decide to forge keys in .cn some day just for fun.

The solution to trusting the root is for trusted institutions to maintain sets of alternate public keys that are used to sign the TLDs, and designing DNSSEC software so you can use your cached version of those keys if you don't trust the root.

There are two reasons for alternate roots, as opposed to alternate trust keys. A theoretical reason would be a political move by somebody, probably the CCTLD owners jointly with the ITU or maybe the UN, to take over the root so the US government would stop annoying them. That might be good. But the real reason was because people wanted to sell alternate TLDs, like .sex and .whateverIfeltlike, back when there were only the original TLDs and CCTLDs; I forget if the early ones dated back to Jon Postel's time or if they were mainly in the period of chaos after he died.

wtf! (4, Insightful)

BuR4N (512430) | about 7 years ago | (#18556889)

"and be able to break into computers connected to the Internet without much effort"

Didnt know that spoofing an IP what all it took to break into a computer.....

Re:wtf! (1)

StartCom (1018308) | about 7 years ago | (#18557151)

But it helps! It's a first step...supposed you know that your DNS data is supposedly secured, one tends to trust and be less careful. The next step would be a spoofed SSL from some US CA ;-)

Re:wtf! (1, Informative)

tsoldrin (969533) | about 7 years ago | (#18557245)

It's a simple matter to point the DNS entry to a machine of your choice and then just pass all the traffic on through to the real machine, monitoring both directions thereafter. As soon as anyone logs in, you're in.

Creative Visualizations... (1)

UncleTogie (1004853) | about 7 years ago | (#18556895)

The mental picture that first struck me:

A farmer giving the fox the keys to the henhouse.

Creative Moderation... (0)

Anonymous Coward | about 7 years ago | (#18557243)

That would be the slashdot moderation system.

How are you gentlemen. (4, Funny)

bluemonq (812827) | about 7 years ago | (#18556899)

All your IP are belong to us. You are on the way to being rooted. You have no chance to 200 make your time.

Re:How are you gentlemen. (0)

Anonymous Coward | about 7 years ago | (#18557035)


Sure, you can have the master key... (5, Funny)

Cylix (55374) | about 7 years ago | (#18556903)

When you pry if from my cold dead hands!

Re:Sure, you can have the master key... (5, Funny)

Anonymous Coward | about 7 years ago | (#18556935)

Your proposal is acceptable.

-- DHS.

Re:Sure, you can have the master key... (1)

the eric conspiracy (20178) | about 7 years ago | (#18557551)

So you are equating DHS with giant terroristic insectoid aliens bent on universal destruction? Hum. Seems reasonable.

Re:Sure, you can have the master key... (2, Funny)

frinkacheese (790787) | about 7 years ago | (#18556961)

..In other news Cylix, a Slashdot poster was found dead today outside his home. Police investigating suspect that theft was the motivation as his wallet was missing.

Various Internet companies today suspect that their domain names have been compromised. Blaming the new "secure" DNS system, companies are still unable to tell what the extent of this damage is.

Also in todays news:

Iran in massive cleanup operation after Israeli nuclear strike.
Microsoft again found guilty of anti-trust violations.
SCO share price collapses after serious fraud office investigation.
British government standardize on Linux for all new IT deployments.

Re:Sure, you can have the master key... (0)

Anonymous Coward | about 7 years ago | (#18557223)

If that's what's required then that's what we'll do

- Department of Fatherland Security

Multiple keys (2, Insightful)

russotto (537200) | about 7 years ago | (#18556943)

Does Secure DNS allow multiple keys to be required before a query is trusted? That is, would it be possible with the protocol as defined for a foreign root server (e.g. the servers authoritative for .nl) to sign its responses with its own self-signed or trusted-organization-signed key as well as with the IANA-signed key, and have savvy clients trust such servers only if both keys are present?

I'm surprised the US Government is doing this; I'd have expected them to obtain the key through back channels rather than out-and-out demanding it.

Which is worse? (2, Interesting)

FMota91 (1050752) | about 7 years ago | (#18556983)

The fact that the US Government wants this key, or the fact that it has requested it publicly?


Re:Multiple keys (2, Informative)

Eric Smith (4379) | about 7 years ago | (#18557169)

In principle, there is no reason why a ccTLD key needs to be signed by IANA, ICANN, the US DoD, or anyone else, as long as the DNS implementation on client computers is configured to trust that ccTLD key.

The result is that instead of computers being configure to trust a single root zone key from IANA, it is likely that every ccTLD will have its own key, and that the standard configuration of DNS as shipped with an OS or distribution will contain the public keys or hashes for every one of them. This is arguably a good thing.

Note that few if any OS distributions come configured to support secure DNS and verify signed DNS records.

Another "Internet" (1, Interesting)

bogaboga (793279) | about 7 years ago | (#18556977)

How feasible is it for we in the rest of the world to create "another Internet" and leave the current one with the US government? I can see major powers like China and Russia in support of this measure. But is it even possible?

Re:Another "Internet" (1)

Eric Smith (4379) | about 7 years ago | (#18557111)

All they have to do is
  1. set up their own root DNS servers (easy, anyone can do that)
  2. convince their citizens to configure their computers to use their root DNS servers instead of the ICANN root DNS servers
Many people have done the first, but no one has succeeded at the latter. But if a government were to do it, they might well succeed.

However, other countries may not even need to do that. If they use a ccTLD (e.g., .cn for China, .lk for Sri Lanka, etc), they can control the DNS key for that ccTLD, and they do NOT have to get that key signed by ICANN, IANA, the US DoD, or anyone else. So ths is really just an issue for the gTLDs. Yet another reason why gTLDs were a fundamentally bad idea.

they didn't start out generic (1)

nanosquid (1074949) | about 7 years ago | (#18557375)

Yet another reason why gTLDs were a fundamentally bad idea.

Well, yes, just keep in mind: when they started out, they weren't "generic", they were effectively US TLDs.

The mistake was failure to either declare those domains to be US domains, or to migrate them to .co.us and similar domains and discontinue the old domains, when the Internet became commercial and international.

Re:Another "Internet" (1)

DaMattster (977781) | about 7 years ago | (#18557569)

You would also need to convince the citizens to get direct connections to your servers and start assigning IP addresses, much in the same way that IANA does. This is, in theory, wholly possible. Then you could have a separate internet that gets away from government regulation. But, Homeland Security may get suspicious and you might see one of the infamous National Security letters forcing you to open your network or face imprisonment and fines. Either way, as long as King George has his way, privacy will continue to go down the tube.

Re:Another "Internet" (2, Insightful)

canuck57 (662392) | about 7 years ago | (#18557155)

How feasible is it for we in the rest of the world to create "another Internet" and leave the current one with the US government? I can see major powers like China and Russia in support of this measure. But is it even possible?

Quite feasible actually. China already runs it's own DNS root servers. The trick becomes to make this as seamless as possible to the end users. But there are ulterior motives for this, to control the people.

For example say China wanted ibm.com to resolve to their own servers, they could hijack the domain off their servers and send it to their own servers. This make DNS in the middle attacks -- even with SSL -- trivial. China for example with at some point ban using DNS servers out of China and block external DNS at the international border routers.

That being said though, the internet domain system would deteriorate if every country got into the business and decided to do their own thing to control their users. After all, this is what it is really about.

Re:Another "Internet" (0, Flamebait)

bendodge (998616) | about 7 years ago | (#18557575)

For as many mistakes and bad choices the US government has had, I think it is still by far the best entity to control the internet. The UN would cencor it, China would propagandize it, France would tax it, and Britain would botch it technically.

When it all boils down, a network like the internet requires centralized control, and it's often best to stick with the devil you know.

Re:Another "Internet" (1)

Shemmie (909181) | about 7 years ago | (#18557667)

The UN would cencor it, China would propagandize it, France would tax it, and Britain would botch it technically. Exactly, why settle for only one of those outcomes when you can have all four?

Re:Another "Internet" (1)

vertinox (846076) | about 7 years ago | (#18557755)

How feasible is it for we in the rest of the world to create "another Internet" and leave the current one with the US government?

Oh that... Its called IPv6.

Subby failed reading comprehension (5, Informative)

Anonymous Coward | about 7 years ago | (#18556979)

No where in that article did it say that DNSSEC would prevent spoofed IP Addresses. This is about DNS, not about IP addresses. Also, the fact that the DHS wants they master keys does not mean they'll be able to hack into your computer without any problem. It boggles my mind that this Summary was allowed to hit the main page. wow...just wow.

Re:Subby failed reading comprehension (1)

3247 (161794) | about 7 years ago | (#18557487)

No where in that article did it say that DNSSEC would prevent spoofed IP Addresses.
Even if the article did not say so, it actually does: With DNSSEC, you can securely put certificates for IPSEC or SSL/TLS into the DNS.

How DNSSEC prevents spoofed IP addresses (1)

billstewart (78916) | about 7 years ago | (#18557743)

There are two ways to spoof IP addresses - trick somebody into thinking the machine they want is at a bad guy's IP address instead of the real one, or trick somebody into thinking that the IP address they're trying to reach is on a bad guy's machine instead of the real one.

DNS primarily lets you look up the IP address corresponding to a domain name, and DNSSEC prevents this from being spoofed. Spoofing the routing protocols so that IP packets go to the bad guy's machine is obviously not DNS's problem.

The crucial signing key is for Windows Update (5, Insightful)

Animats (122034) | about 7 years ago | (#18557007)

The truly powerful signing key is for Windows Update. If you have that key, you can take over every Microsoft computer in the world . Change the operating system. Install anything, including a new key. Reboot the machine.

Who has that key? Do we know?

Whoever has both the DNS root key and the Windows Update signing key rules the Internet. Or at least all the Microsoft client systems. They can redirect Windows Update requests to themselves, then download their own update and have it accepted.

Unfortunately, this isn't a joke.

It is a joke, you just forgot the punchline! (0, Informative)

Anonymous Coward | about 7 years ago | (#18557195)

>Unfortunately, this isn't a joke.

Other than it won't work because all the important *.microsoft.com sites are hardcoded into Windows.

No, it's not a joke. (4, Interesting)

Animats (122034) | about 7 years ago | (#18557265)

If you can force a Windows Update cycle, you can change the hard-coded values. Microsoft Update can patch any part of the OS and can force a reboot. (A reboot can be forced on any machine with updates turned on, even if auto reboot is supposedly turned off.)

If you can make changes to DNS, you can change the IP address for "the important *.microsoft.com sites", redirecting the updates to an attack site.

So possession of both of those keys gives full control of all Windows Update enabled clients.

Re:No, it's not a joke. (0, Flamebait)

Anonymous Coward | about 7 years ago | (#18557517)

What part of hardcoded do you not understand? You would have to spoof IP addresses, not domains, to send bogus updates to Windows machines.

Re:The crucial signing key is for Windows Update (1, Interesting)

Anonymous Coward | about 7 years ago | (#18557229)

Does this mean that pirated copies of Windows are in fact more secure?

Re:The crucial signing key is for Windows Update (1)

Tenebrarum (887979) | about 7 years ago | (#18557359)

A serious question here: is Portage vulnerable in the same way? Pardon my ignorance, perhaps I've missed something obvious, but this is a serious question.

Re:The crucial signing key is for Windows Update (0)

Anonymous Coward | about 7 years ago | (#18557877)

Yes, any online update system is only as secure as the people who hold the keys. An attacker only needs to find out where they live and threaten them or their families. This should not pose much difficulty to the DoHS.

Using Linux does not secure you against DoHS spyware. But they will install it on Windows and Mac systems first, so you will get some warning and an opportunity to establish your own network of trust.

Re:The crucial signing key is for Windows Update (1)

Comatose51 (687974) | about 7 years ago | (#18557361)

One key to rule them all and in the darkness bind them.

Re:The crucial signing key is for Windows Update (0)

Anonymous Coward | about 7 years ago | (#18557471)

I think you mean "in the darkness sign them."

Re:The crucial signing key is for Windows Update (0)

Anonymous Coward | about 7 years ago | (#18557699)

It doesn't matter who has the Windows Update key. The keyholders work for Microsoft. They will do whatever Homeland Security asks... or else. It's the same with this DNS thing - it doesn't matter if the key isn't given to Homeland Security now, because Homeland Security can demand it at gunpoint any time they want.

Your Windows machines might as well already be running US Government spyware. In fact, perhaps they already are. We didn't find out about the phone tapping thing straight away, and the best sort of spying is completely covert.

Politics, politics (0)

Anonymous Coward | about 7 years ago | (#18557051)

hmmm, will other countries trust US goverment managment on something as critical as DNS security?

Re:Politics, politics (3, Insightful)

ScrewMaster (602015) | about 7 years ago | (#18557303)

Will they have a choice? Would they do any better?

The problem with all this saber-rattling about "control of the Internet" is that there's just too much economic power involved to arbitrarily change anything. Yes, one can complain about U.S. management of DNS (although the system does work rather well), one can complain about what the U.S. might do with DNS (although we haven't done anything yet) but sometimes, change for the sake of change is dangerous. The impact on world economies if DNS were to suffer any significant or long-lasting disruption would be severe. If any major changes or transfer of control of the Domain Name System ever get made, they'd best be made in the light of technological reality and not the immediate political need to stand up to the U.S. Remember what happened with Verisign and SiteFinder? That was just a taste of what might happen to the network if people start squabbling over the roots and waving their dicks around.

Be careful what you wish for.

Re:Politics, politics (1)

l3v1 (787564) | about 7 years ago | (#18557903)

although we haven't done anything yet

Not the most convincing argument these days.

We asked, you spoke, we listened. END OF STORY (3, Funny)

sciop101 (583286) | about 7 years ago | (#18557067)

US Gov: We want the key.

We are denied the key.

We deny having the key.

out of control (4, Insightful)

TheSHAD0W (258774) | about 7 years ago | (#18557083)

I think this is horrible news, if only because it provides more potential sources for unauthorized personnel to access the key. DHS has no real use for the key, which has as its only purpose the prevention of man-in-the-middle attacks against legitimate websites. DHS has the power to subpoena the owners of those sites for communications details, and terrorists' communications will use other forms of secure handshaking to verify legitimacy if they don't already. The only reason DHS would need these keys is if they wanted the ability to immediately tap into communications w/ legitimate sites, without delaying for a court order or other oversight. Giving them this power would only allow them to fly further out of control.

Re:out of control (0)

Pinkfud (781828) | about 7 years ago | (#18557633)

I can think of another reason. With direct access to the root DNS, it's possible that a website could just accidentally become unreachable. And it's just so complicated that it could take months, maybe even years to fix the deleted entry....

Routing and private keys? (3, Interesting)

pashdown (124942) | about 7 years ago | (#18557133)

I've always thought IP spoofing is a weak attack due to routing and ingress filters. Any network worth its salt will block its own addresses from coming in from the outside, but nevertheless routing has to return the TCP ack back to the proper AS#. How does DNSSec override these precautions?

In any case my boxes don't give access to just the IP address, they give access based on private keys, DNS, and the IP address. Another case of government technical cluelessness thinking that the master key unlocks ALL DA COMPUTORS IN DA VERLD?

Re:Routing and private keys? (1)

Score Whore (32328) | about 7 years ago | (#18557239)

Why would you trust DNS for anything? Or IPs? The only thing you may trust is the correct private key. And maybe not even that.

US still has the possibility to spoof signatures (0)

Anonymous Coward | about 7 years ago | (#18557199)

He who holds the keys, has all the power. This would mean that USA still can generate signatures for anybody and sign their identity.

I say EU needs their own master keys.

That's all we need (1)

OriginalArlen (726444) | about 7 years ago | (#18557205)

Finally, a way to give the net.kooks at ORSN et al -- and other purveyors of alternative DNS roots [wikipedia.org] -- some sort of credibility... prove that the kooks were right all along! The cabal does exist, and they're running the US government. What a stroke of genius! This single act could be the single most harmful thing to hit the net since Cantor and Seigel :(

correction (1)

slashkitty (21637) | about 7 years ago | (#18557211)

the US government will be the only institution that is able to spoof IP addresses

the US government will be the only OTHER institution that is able to spoof IP addresses.

whoever is the creator (icann?) of the master keys is also able to spoof DNSsec.

Obligatory (1, Funny)

Pepebuho (167300) | about 7 years ago | (#18557257)

One Key to Rule them all,
One key to find them,
One Key to bring them all,
and in the darkness bind them

In land of Bush, where the shadows lie...

Big deal! (1)

rdenisc (701667) | about 7 years ago | (#18557289)

Even if DNSSEC ever gets widespread usage, they only get the ability to spoof every other domain in the world. Right. First, maybe some non-US ISPs could keep their own hard-coded copies of public keys for relevant non-US TLDs, so the US cannot spoof them. But in practice, the trust level in DNS is low anyway. It's as bad as the ability to emit any spoof Verisign server x509 certificate (which the US might quite possibly do as well, but nobody will discuss this).

For all the problems with the US... (0)

Anonymous Coward | about 7 years ago | (#18557309)

I'm beginning to wonder if this is really something I should worry about anymore.

I've been through the whole anti-US thing, the amount of things the US does wrong are phenomenal, but as a Brit, after seeing the Russians poison Litvinenko in our very own capital city, after seeing how utterly childish the Iranians are over the kidnapping of our service personnel and the fact the Russians veto'd at the UN the request by the British for a UN demand to release the hostage immediately. All that coupled with China unwilling to deal with North Korea in a way that would force them to give up their nuclear ambitions (i.e. cutting off all their cross border electricity supplies) I'm really beginning to question if the US having this kind of power, in that it would be the only nation to carry out DNS spoofing attacks is honestly such a bad thing.

Better the devil you know and all that, and frankly, if something like this does go ahead I'll be stood alongside the yanks laughing in the face of any Russian, Iranian, Chinese or North Korean leader that starts crying about America's dominance of the cyber warzone, and I'll tell them "Maybe if you'd not been so utterly arrogant towards the rest of the world then people like me would've supported an even battleground". Until the rest of the world grows up, please, Americans, go ahead, support your DHS in having this power.

You know... (5, Interesting)

FunWithKnives (775464) | about 7 years ago | (#18557315)

When the story first broke about other nations wanting an independent international body to oversee the root servers and such, I was completely against it. It sounded to me like another pointless stance by the U.N., compounded by the fact that the ARPANet was invented and fleshed out here in the U.S. Not to mention the few unsavory members of the U.N. that would end up with some say as to the future of the Internet.

Now, though, I'm starting to see where I went wrong. I was assuming that the government of the United States could never be as fucked up as the one in, say, China. I was being horribly short-sighted. I should have known that this kind of shit was only a matter of time.

So how much worse could letting the U.N. have control of ICANN be than something like this? I say fuck it. Let them have it, and give it some independent oversight. For the life of me, I cannot believe that I am actually looking to foreign nations to ensure the neutrality and openness of the Internet, but there you have it.

Re:You know... (4, Interesting)

DaMattster (977781) | about 7 years ago | (#18557511)

I definitely agree with you there and I am a U.S. Citizen. At this point, I think by making ICANN and IANA independent of U.S. control we are safeguarding our own rights what with the wild abuses of the Patriot Act, the FBI, and the Department of Homeland Security. I hope ICANN doesn't capitulate. ICANN shouldn't give them shit.

Hah. The US government has answered. (3, Funny)

SLi (132609) | about 7 years ago | (#18557329)

I'm glad the US government decided to answer themselves the very short-sighted people who are almost in the majority in every ICANN-shouldn't-be-controlled-by-the-US article who ask something like "Who would you trust more to control the Internet, the US government or a body where countries with poor human rights record have a say".

root keys and Ultimate Power (2, Interesting)

Teunis (678244) | about 7 years ago | (#18557337)

Maybe it's time to start working up an alternative to DNS zones?

It's either that or coming up with a way of keeping such information outside of the hands of a foreign power (the USA is a foreign power from my country. Not an enemy by any hands at this time... but it has been).

Fodder for future (0)

Anonymous Coward | about 7 years ago | (#18557345)

And so even the next generations in non-US nations will hate America with same furiousness :)

There should be no debate if DHS gets its way (2, Insightful)

iminplaya (723125) | about 7 years ago | (#18557441)

Control over the internet needs to be taken away from the Americans. We need to assure that nobody has "control" over the internet.

How is this significantly different? (4, Insightful)

Schraegstrichpunkt (931443) | about 7 years ago | (#18557519)

Right now, Verisign (or any of the widely-trusted X.509/SSL certificate authorities) can generate fake certificates for arbitrary sites, and your ISP can poison the DNS (from your perspective).

Incompetent government employees (or corrupt or foreign governments) are not the only adversaries we need to deal with. DNSSEC, like the current HTTPS trust system, reduces the number of potential attackers, but it doesn't eliminate them all. We know this, and we deal with it by only vesting a limited amount of trust in these systems.

The discussion should not be about whether or not the US DHS specifically should be given access to the keys; The discussion should be about the importance of minimizing the number of points where the system can be attacked: Only those entities who strictly need the keys in order to administer the DNSSEC system should be given access. The DHS doesn't need DNSSEC keys in order to make DNSSEC work, so the DHS should not get the keys. It's as simple as that.

Typical Slashdot Conspiracy Theory BS (1)

orionware (575549) | about 7 years ago | (#18557615)

" By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort."

All you need to do is "spoof" an IP and you're in? Wow..

So what? (2, Insightful)

tqbf (59350) | about 7 years ago | (#18557787)

Anybody --- not just the DHS --- can spoof the DNS today. And yet, by all available evidence, DNS spoofing is vanishingly rare. Mutual authentication over the untrusted Internet is a solved problem: TLS provides an end-to-end guarantee that your connection to your banking web application terminates with someone who can vouch for your bank's crypto keys. And you don't simply trust SSL certificates to the government: you also trust a myriad of commercial entitities as well.

This is a red herring on multiple levels. There are lots of places that intelligence agencies can step in to violate your privacy on the Internet; you "trust" an access-layer providers, a number of backbone providers, the owners of the DNS roots, the certificate authorities, Google, and probably 10 more entities. But more importantly, DNSSEC is irrelevant. Nobody depends on it now (it doesn't "exist"now: tell me how my Mac does a secure lookup for Google.com on Speakeasy). It's likely that nobody ever will depend on it. And that's OK, because we have better mechanisms in place. We should spend more effort on adding negotiated opt-in SSL for things besides web and mail, and less on huge infrastructure projects to "secure" one tiny link in the connectivity chain.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account