Archive for September, 2008

US Department of Commerce stands in the way of DNS Security

Friday, September 26th, 2008

In a move surely to raise eyebrows in the international community the US Department of Commerce, made clear [1] their intention to block efforts to completely secure key data by requiring sensitive keys to be transmitted to a third party before being published in final protected (signed) form. Their motivations, as well as the reasons for the intensity of their remarks, are unclear particularly given the minor nature of the proposed change and ICANN having already provided such functionality [2].  In fact the need for this change was envisioned and agreed to between VeriSign and ICANN some time ago [3].   As noted in [4] Commerce’s effective attempts to gag ICANN to discuss proposals leads one to further questions and concerns about transparency.

DNSSEC will not only fix recently discovered DNS vulnerabilities but will become a secure platform for many future applications.  Maintaining trust from TLD operator to signed root by minimizing any avenues for corruption or error, by protecting (DNSSEC signing) sensitive keys at the point where they are authenticated and validated, ensures the Internet and any new developments will be able to rely on the security of this platform into the distant future.   Just because the specifics of the current approach to managing the root have worked for so many years doesn’t mean it couldn’t benefit from a minor change.  That’s how we got to where we are now – holding back on changes until serious vulnerabilities are discovered and then trying to quickly secure the decades old DNS protocol.   We should take this opportunity to be proactive – not reactive – and insist that the US government let the international community of Internet experts do their best in securing the DNS or – take it elsewhere. 

[1] last para http://www.ntia.doc.gov/comments/2008/ICANN_080730.html

[2] last para http://www.circleid.com/posts/88183_pressing_need_for_a_signed_root/

[3] para 2 “Root Server Management Transition Completion Agreement 2006”

[4] para 3 http://www.icann.org/correspondence/baker-to-twomey-09sep08.pdf