|
After looking at the state of DNSSEC in some detail a little over a year ago in 2006, I’ve been intending to come back to DNSSEC to see if anything has changed, for better or worse, in the intervening period.
Background
To recap, DNSSEC is an approach to adding some “security” into the DNS. The underlying motivation here is that the DNS represents a rather obvious gaping hole in the overall security picture of the Internet, although it is by no means the only rather significant vulnerability in the entire system. One of the more effective methods of a convert attack in this space is to attack at the level of the DNS by inserting fake responses in place of the actual DNS response. The outcome can be quite insidious. You may think that you have pointed your browser at some web site, but if I can execute this attack on your DNS query then it would be possible to direct your browser to any address whatsoever, or even none at all! And nothing is obviously “wrong”. There are no viruses on your computer, no failure of your firewall, no insidious subversion of your NAT. Nothing is changed at your end and everything is working just as intended. But the wrong outcome happened. And of course the DNS is used as the universal rendezvous medium, so pretty much every application starts by firing off a DNS request and then commencing a packet handshake with whatever IP address the DNS has told it. With DNS as it stands today such attacks on the integrity of the DNS, particularly by quite simple man-in-the-middle substitution attacks, are virtually impossible to detect.
DNSSEC is a digital signature framework that is intended to allow anyone to check the integrity and completeness of a response to a DNS query. The approach used by DNSSEC is a relatively conventional application of public key cryptography, where DNS Resource Records (RRs) are digitally signed. This digital signature can be added as additional information to a DNS response, and DNSSEC-aware resolvers can request that additional DNSSEC validation material be provided in addition to any DNS query, and the resolver may then use this material to verify that the response is genuine, and has not been altered in any way whatsoever. For a description of the DNSEEC design you may find a previous article on DNSSEC helpful, namely “DNSSEC: The Theory”.
DNSSEC deliberately avoids the use of X.509 public key certificates and the use of an associated Public Key Infrastructure (PKI) by embedding a key hierarchy within the DNS itself. Each zone parent is given the role of signing over every delegated child’s zone key, so that a zone’s signing key can be verified by confirming the parent zone’s signature over that key, which, in turn, can be verified by that zone parent’s signature over this key, and so on until you reach a Trust Anchor or the root of the DNS, or, preferably both at once. All this results in the observation that the theoretical trust model of DNSSEC can be reduced to a reliance on trust in only one key, that key being at the top of this delegation hierarchy. In other words, DNSSEC was originally designed with a single trust anchor in mind, that being the public key used to sign the root zone of the DNS, and the deployment model was one of universal adoption across the entire public DNS.
So where are we on this DNSSEC deployment agenda? Within reach? Or a bit of a stretch goal, but still plausible? Or maybe its so far out there that the manned mission to Pluto will happen first!
Root Signing
Some tasks appear to be quite challenging, yet turn out to be really quite simple, while other tasks look simple, but turn out to expose all kinds of daunting problems. In the case of DNSSEC this task of generating a public/private key pair, signing the root zone with the private key and publishing the public key as the material that “anchors” the DNSSEC signing hierarchy is evidently an example of this latter class of tasks, where the seemingly simple becomes the intractably wedged. The root zone of the DNS is quite small, and generating a key pair and creating a digital signature of the root zone is not actually the problem. Indeed, it’s a mechanical task at one level and existing DNSSEC tools can achieve this outcome quite easily. An example of what such a signed zone might look like can be found at https://ns.iana.org/dnssec/status.html.
If the mechanics of actually signing the root are so trivial, and we know what the outcome will look like, and you can probably even use the DNS to test your resolver against it tomorrow, then why hasn’t it happened already on the actual DNS root? What’s the problem here?
Obviously its not technical. So if its not technical, then it must be back to yet another instantiation of the those endless political debates about the DNS, IANA, ICANN and the roles and desires of various governments, political factions of all persuasions and their various retinues and cheer squads. What appears to have got so many folk worked up into a lather in the case of DNSSEC is the consideration of who generates the key pair for the DNS root. Actually that’s not quite correct—the observed general paranoia levels start to go stratospheric over the consideration of who has effective control of the private key of the DNS root zone, as this is evidently equated to the well rehearsed public debate that has a paranoia level that could best be described as astronomical in elevation over who exercises actual control over the DNS root zone itself, and somehow this gets even further inflated into the fascinating debate of who has control over the entire universe or something similarly grand.
Descending back to the boringly mundane for a second, there has been a proliferation in number of folk who believe that they have some legitimacy in their claim to have a say over control of their little part of the DNS root zone and perhaps an equally large number of folk who are interested in disputing the comparable claims of others. So who gets to hold this magical key of the DNS root appears to be a Deep and Meaningful Question for many.
I must admit that for me the most obvious response to such DNSSEC root zone signing concerns goes along the lines of: “What’s the issue here? The IANA maintains the DNS root zone file, so the IANA should sign the root zone and the IANA should control the zone keys for the DNS root.”
While such a response may appear obvious to me, for many that response is totally naive politically and just plain unacceptable. We’ve seen a number of proposals in recent times that attempt to justify the employment of a cast of agencies drawn from many countries and many international organizations, each of whom are proposed to derive their rasion d’être in being vested the control a tiny part of one bit of the DNS root key, and all of whom are required to provide their consent in order to assemble the actual key value to sign any changes to the DNS root zone. Somehow the mechanical process of signing parts of the DNS root, which is a task that is required for every change to any part of the root zone, so we are talking of an operation that entails a number of signing operations per day, appears to have been confounded with the political process of an endless debate about the process of making changes to the DNS root. I gather that there is the impression in some circles here that there is the endorsement of a cause that a functional outcome can be achieved when every single party here in this somewhat bewildering cast of players has the right of veto over anyone else. The key that would allow others to bootstrap the validation hierarchy in a simple manner is now regarded as the key to define which parties need to provide their permission before permitting any changes whatsoever to the DNS root zone itself. For as long as the evident desire on the part of some to ensure that this political process of DNS determinism is non-terminating holds prominence in the public debate over the governance of the DNS, then the prospects of ever seeing a signed root zone in the DNS also appear to be highly unlikely.
But if one were to dismiss most of this debate of who gets to say which bit of the root zone key should be a 1 or a 0 as a simple exercise in political posturing, and look at this merely as a technical problem within the DNS query and response protocol, the more relevant question is whether adding a DNSSEC signature to the root zone of the DNS would cause any major, or even minor, catastrophe to the Internet at large, or the working of the DNS in particular.
The general consideration when contemplating changes to the root zone of the DNS is whether the basic UDP response to a root zone priming query will be able to be transmitted back to the query party. When a priming query is passed towards a root server with the DNSSEC OK bit set in the EDNS header of the DNS the query should also use the ENDS “sender’s UDP payload” mechanism, as the inclusion of the DNSSEC information in the priming response will lift the size of the responding DNS packet to over 576 bytes. So as long as everything between the DNSSEC and EDNS-aware DNS entity performing the query who is asking the root zone the priming query with DNSSEC enabled is capable of doing the right thing with large UDP packets, then all will work. And if the packet is mangled by some reprehensible middleware that mangles DNS UDP packets in bizarre ways, then the query has to drop back out of DNSSEC and perform a non-DNSSEC priming query. It seems that the operational modes do not cause complete breakage here. So as long as the key is correctly handled and the signatures are well formed then from a technical perspective signing the root does not appear to present risks to the operation of the DNS.
Signing the DNS root appears to remain a political question rather than a technical question. For as long as there are folk who equate their unwavering desire to express their interest in the politics of the administration of the DNS with an undeniable conviction that they or others deserve a right of veto in the administration of the root zone of the DNS via their interest in a share of the control of the DNS root key, then this may well remain an intractable political problem. Sigh.
Signing Everything Else
There is one arguably positive aspect of this longstanding political stalemate over signing the root zone of the DNS, namely that the other rather improbable aspect of DNSSEC deployment can be conveniently ignored.
DNSSEC relies on the DNS structure itself to create the interlocking relationships that remove the need for additional verification mechanisms. For a DNS RR to be verified by a DNSSEC-aware resolver it is necessary to both verify the digital signature of the RR and confirm the validity of the signing key that generated the RRSIG resource record. In DNSSEC the parent signs across the child’s public key, so the child’s key can be verified by verifying the parent’s digital signature of this key. This signature can be verified by confirming the digital signature and verifying the parent’s public key. This key is verified by its parent, and so on. If the root zone key is the trust anchor of this verification chain then every zone between the root zone and the zone of the DNS RR being verified must be DNSSEC signed. With DNSSEC it’s a case that life is far simpler for clients of DNSSEC if over on the signing side of DNSSEC it’s a case of one in, all in!
Such a perspective poses the question of just how likely is universal DNSSEC deployment? The story is not yet very convincing, unfortunately. In many cases it appears that the marginal additional overhead of adding DNSSEC to a zone, in terms of the additional zone administrative procedures, the introduction of DNSSEC key management functions, larger DNS zone files, interactions with delegated zone administrators and parent zone administrators, and the possibility of more potential points of service failure, are all borne by the zone administrator ands the zone publisher, while the direct benefits, such as there is direct benefit here, accrue to the DNS client. If we’ve learned anything about the business of networking over the years it would be good to think that we’ve learned that in those situations where a large set of folk bear the costs and another, potentially smaller number of folk stand to gain the benefit, and there is no compensatory flow of money to even the scorecard, then the entire proposition is not generally considered overly attractive from a business perspective. Worse still is the picture where the sum of the costs far exceeds the accumulated value of the benefit. Signing everything in the DNS just doesn’t seem to represent a natural outcome from the point of looking at each DNS zone administrator as an independent entity who is trying to optimise their own individual position on the cost and benefit account.
Universal DNSSEC deployment, even with a signed root, has prospects that are even more dismal than the signed root proposition. Sigh
The Great Key Hunt
So we haven’t yet managed to sign the root, and we haven’t yet managed to achieve universal buy-in below the root, and the prospects for achieving both these objectives look dim at the moment.
Are we ready to give up on DNSSEC yet? Of course not!
The design of secure systems often represents a set of design trade-offs, or, in other words, a set of compromises between security, scalability and feasibility. If it is the case that the total cost of deployment and the resultant accumulated benefit are not well aligned, then can DNSSEC take some convenient shortcuts to ease this imbalance, even at the expense of some level of integrity of the security model? Is there any leeway here? Is universal DNSSEC adoption a strict precursor to any realistic level of DNSSEC utility?
In the absence of universal DNSSEC adoption then we might continue along the current path of partial adaptation for some time to come. But what does this mean for DNSSEC? Is partial deployment of DNSSEC something that we could live with in the long term? Or is it more broken than no DNSSEC at all?
Partial deployment of DNSSEC implies that only some zones are signed. A signed zone might have no DNSSEC parent, but may have DNSSEC children. These parent-less DNSSEC “orphans” become the apex of a local DNSSEC hierarchy. For a DNSSEC resolver to be able to verify as much as it possibly can it has to load up all the zone keys that are at the apex of a local DNSSEC hierarchy. Unfortunately there is no automated way to perform such a sweep of the DNS to expose these DNSSEC zones, so the process appears to be one that you perform by hand. Yes, that’s manual. And even then you need to derive some form of trust in the authenticity in the key in this undefined process of DNSSEC zone key retrieval and maintenance.
Another way for the resolver to gather these zone keys up is to pick them up one by one on as as-required basis using the DNS itself. This gets rid of the entire process of trying to sweep the DNS for these DNSSEC local hierarchies just in case you might want to pose a query against these zones that you wanted to validate with DNSSEC. So it looks promising. But hang on—wasn’t the entire DNSSEC effort directed at providing some means of verifying DNS responses? If you use the DNS itself to deliver these keys that you are going to use as the basis of your trusted verification, then haven’t you just introduced a fatal circularity of dependence? How can you trust the DNS to deliver you the correct key that you are then going to trust to validate DNS responses? So this won’t work either.
So we are back once more to the basic problem of DNS integrity that DNSSEC was intended to solve. How can you pick up these local DNSSEC apex keys in a reliable and trusted manner without resorting to the DNS? Unfortunately DNSSEC has no direct answer here. How do you know that a DNS zone has been legitimately signed and that the DNS response can be validated? In an environment of partial DNSSEC deployment DNSSEC does not appear to be overly helpful.
Another response has been to contemplate DNSSEC Lookaside Vectors (DLV), which attempt to aggregate a number of apex zone keys of local DNSSEC zone hierarchies into a synthesised DNSSEC zone that allows a single DLV zone key to substitute for the set of stored apex zone keys. If you change the DNSSEC-aware resolver to follow the lookaside vector you can replace the collection of local apex keys with the single key of the lookaside vector zone, as long as all these DNSSEC orphans are prepared to live as the DNSSEC Lookaside Orphage. But in this DLV model we’ve broken out of the interlocking DNS delegation model, and the question then arises as to the authenticity of the zone keys stored in this DLV zone. While DLV can fly technically, the validity of the outcome is no longer based on the elegant structure of interlocking DNSSEC keys that are precisely aligned to DNS zone delegation. Instead, the strength of the outcome is no stronger than the integrity and accuracy of the admission procedures that are undertaken by the DLV operator. Its hard to see how the DLV approach offers anything more secure than the current haphazard collection of DNS name certificates and the haphazard collection of certificate authorities who issue certificates for DNS names, while at the same time sit outside the name delegation hierarchy.
So the alternatives for the DNSSEC client in a world of partial DNSSEC deployment is to hunt down and maintain a set of trust keys using undefined processes that presumably involve a considerable amount of human direction, or to outsource the problem to a DLV operator in whom you are placing trust that they operate their DLV business with suitable integrity.
Neither alternative sounds overly attractive if you are after the substance of security rather than the optimistically inclined veneer of security theatre. Sigh.
No Such Domain
But even if we were in a world of universal DNSSEC deployment the story still is not overly convincing. If DNSSEC means signing every response that the DNS can offer, then the DNS response of “no such domain” must also be signed, and this too has opened up some further twisted DNS byways.
The DNSSEC mechanism of signing such negative responses appears to be both simultaneously ingenious and flawed. Its ingenious in that the approach of generating pseudo DNS RRs of all the “gaps” in the zone file and signing these “gap” DNS RRs provides the appropriate assurance that there is indeed no such domain in the zone in a manner that allows verification of this absence of requested information. Its flawed in that the approach not only provides information that the particular domain name does not exist, but also provides extraneous information about a potentially large set of other names that also do not exist in the zone file.
In any other domain (if you’ll pardon the pun!) any side effects of this DNSSEC signed NSEC resource record would be innocuous, but in the strange and twisted world of the name selling business information about what names do not exist appears to be a highly valued asset. NSEC is just too revealing a response for many players in the domain name industry. What NSEC does is to place an additional RR in the zone and for each name in the zone the RR contains the next name in order, using a standard ASCII ordering of the names in the zone. The obvious inference is that all the names that lie between the two names don’t exist, and the result is an indirect method of zone enumeration.
So its been a case back to the drawing board to devise an alternate approach of signing these gaps in the zone file. From this comes the still-being-cooked approach of NSEC3, which uses a far more complex ordering of the records in the zone than simple ASCII ordering. NSEC3, which is still not yet signed off as a stable specification, does not appear to have made DNSSEC any easier or simpler. Indeed quite the opposite. Forbidding and incomprehensible appear to relate to both the design goals of NSEC3 and the outcome! I suppose top marks are in order to the NSEC3 designers for having achieved their objective. What is not so clear is whether this has succeeded in making DNSSEC forbiddingly complex. Sigh.
The DNSSEC Burden
DNSSEC is not free. The DNSSEC burden is spread across the zone administration, primary zone servers, secondary servers and resolvers and the end clients of the DNS. Way back—way way back in the late 1980’s the DNS traffic on the NSFNET contribute 20% of all packets on the network of the day. Obviously things have improved considerably since then (we hope!) and its not anticipated that DNSSEC deployment is going to break either the DNS or the Internet at large, but, even so, DNSSEC is not free.
For the zone administrator there’s the additional tasks of key management, record signing and managing zone updates. For the primary and secondary zone servers there’s the need to support incremental updates to the zone, the advisability of using a trusted channel for zone updates from the primary server to the secondaries, such as TSIG, the larger zone sizes, the larger response sizes and the corresponding increments in processor, memory and bandwidth requirements for the servers. This, in turn, triggers reconfiguration of platform and network capacity for the server side of the DNS.
For resolvers there is the issue of the larger response sizes, the need to ensure that resolvers and the local network infrastructure of firewalls, NAT boxes and other inventive pieces of middleware can cope with EDNS0 and larger DNS response packets that are potentially fragmented, the additional query overhead associated with validation of responses, and that tricky question of what DNSSEC outcomes to cache and for how long.
One major consideration here is that the DNS is already relatively fragile and is the constant target of attack. One way to disrupt a service is to subject its name servers to a constant very high intensity load. In amongst all this noise traffic genuine queries are lost and the servers effectively disappear off the network. For providers this is a balancing act. While the DNS is essentially unfunded, if you are out of action then the outage is highly visible. Given that the attack has been one of loading the DNS server with correctly formatted queries there is no visible clue to the server as to what queries are genuine and what constitute the attack. The common mitigation to this attack is firstly one of segmentation of the server domain through anycast of the DNS servers, and an effort to increase the capacity of the server to absorb the query load associated with an attack without falling over. In this environment we are now seeing implementations of customised DNS servers and recursive servers that are engineered for very high capacity. In this environment DNSSEC applies more pressure through larger responses. A DNS server that is engineered for resiliency in a non-DNSSEC world may not necessarily be able to manage the increased load is all queries in a concentrated attack had the DNSSEC bit included and the zones being used as the target of the query were DNSSEC signed. From the perspective of a large heavily used DNS zone, DNSSEC represents a likely requirement to reinvest in server infrastructure as a consequence of DNSSEC signing the zone. This is not exactly delivering on the generic promise of all this technology as being better, faster and cheaper. Sigh.
What’s the meaning of “failure”, and who cares anyway?
What should a resolver do in the event of a DNSSEC verification failure?
Let’s look at this in a little more detail. If the DNS response is a RR and the associated DNSEC RR signature fails to verify then what should the DNS resolver present to its client? “Server Failure” is just such a pathetic way of backing away from the problem without taking a stance! But if a DNSSEC aware resolver doesn’t want to appear to be such a pathetic indecisive wimp, then should the resolver synthesise a NXDOMAIN response in place of the suspect RR response, on the basis that passing on a response that has failed verification is probably worse than a “no such domain” response? What if the NSEC (or NSEC3 for that matter) response has a DNSSEC RR signature that cannot be verified? Here the “server failure” response is still relatively unhelpful and but a more assertive NXDOMAIN, or “no such domain” response is possibly an incorrect response, but, equally there is no better information at hand to substitute in its place. There is nothing quite like the quandary you are p[aced in when trying to do the “right” thing when you know that the answer you are about to give to your client is shonky, but being completely unable to do anything about it!
But what is failure anyway? And, more particularly, what is “failure” in a partially deployed DNSSEC world? A digital signature that cannot be verified is a clear failure. The lack of an upward chain of parent signatures that leads to a trust anchor is also a failure, but of a different type. It could well be that in this case the DNS RR provided as the answer to the original query is perfectly good in every respect, including the DNSSEC RR signature and it’s the resolver’s efforts to hunt down all of the apex zone keys for each and every local DNSSEC hierarchy. Or the resolver could be the victim of a DNS attack. How can a resolver tell the difference? Is this a benign failure, or an instance of a failure that points to a directed attack via the DNS.
Of course undermining all this is human behaviour. When the screen presents you with the message: “I cannot validate this certificate, do you want to proceed anyway: Yes or No?” we are all pretty much the same when we move the mouse to hover over that “yes” button. DNSSEC might be as paranoid as it wants, but we humans are all risk takers of one sort or another, and even when presented with a dire warning of the risks involved, there’s a certain air of digital bravado that creeps up upon your clicking finger when given the opportunity to take a risk! So all this security infrastructure can be undermined by an all too typical user behaviour mode. Sigh.
So tell me again ...
It still seems somewhat bizarre to me that much of the public consideration of DNSSEC has been on the topic of the number and composition of the group of people who must have their trembling fingers touching the pen that signs the root zone of the DNS. The politicization of this question of “who signs the root?” appears to ensure that the root remains unsigned, and as a consequence any hope of universal deployment of DNSSEC flies out the window. It appears that without a signed root partial deployment of DNSSEC is the best one can hope for, and partial deployment of DNSSEC is, on the whole, an instance of negative progress.
Without a signed root DNS resolvers need to do the impossible and perform minor miracles in terms of trust key discovery and management. The impossible happens only with considerable pain and effort, and even then it happens rarely. The question is then raised as to why should zone administrators and DNS operators incur additional costs to locally deploy DNSSEC given that there are a vanishingly small number of DNSSEC queries to be answered from these few bold and adventurous DNSSEC-aware resolvers? From this perspective it appears to be counter-productive to be fixating on the issue of how many potential signatories should be dancing on the head of this root zone pin .
Surely the answer to signing the DNS root is one that has been staring us in the face since the start of this entire DNSEC effort. As with all zones, it the role of the zone administrator to generate the keys and sign the zone file. In the case of the root zone of the DNS its back to the IANA to just do the job and let the rest of us move on.
But “moving on” is not the same as solving all the issues of Internet insecurity though the scribbling of just one signature over a block of bits with a digital pen. It is apparent that the lack of a signed DNS root has become a convenient way to paper over the other issue of the lack of DNSSEC deployment across the remainder of the DNS and the poor prospects for ever changing that situation. Its still a very hard problem to work out how to swing the balance around in the DNSSEC cost and benefit equation so that the benefits of deploying DNSSEC on the server side can motivate its deployment such that the client side benefits of a more robust DNS can be realised.
And even if we address that and move into a DNSSEC world, there is the observation that most of the technology failures we encounter in this area are outcomes of benign rather than hostile actions, and that failures is a product of incompetence rather than malice, and this is no doubt going to continue. We have become habituated as seeing “failure” as an accidental and unintended outcome, rather than a dire warning of potential danger. We have grown so trusting in the technology that when the technology offers us choices then we believe that it really is a choice between equally viable options and that both options are equally ‘safe’ from the point of view of the underlying technical machinery. Otherwise why would this machine be asking us for guidance in the first place?
The substantive issues for DNSSEC are much further down in the DNS hierarchy than at the root, but we’re never even going to have the opportunity to address them as anything more than hypothetical issues to be considered in the abstract for as long as the unsigned DNS root remains in our way.
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byDNIB.com
DNSSEC may have quite dismal prospects of being deployed in actual practice, but look on the bright side: if DNSSEC were completely and perfectly deployed right now, it would not be addressing the latest and greatest DNS-related attack, which involves compromise at the leaves of the network (resolvers), rather than the core. If DNSSEC had been in place, people who don’t understand cryptography might have asked silly questions as to why all this “security” wasn’t protecting us from attack. Such people do not understand that cryptography addresses a clean and elegant abstraction of the security issue, and does not mire itself in the vulgar practicalities of “real world” security, with its inherent imperfections, trade-offs, and pragmatic inelegance. DNSSEC aims for theoretical security against a theoretical attack (and would succeed in that task if only people would stop being so political). Of course the DNS will continue to have vulnerabilities outside this theoretical strength: there’s only so much theoretical security that cryptographic mechanisms can provide, and we can’t help it if attackers choose to target the system where it is weak.
(Caveat lector: this comment may contain irony.)
Do we still need intermediate DNS resolvers? What would be the network load of all clients going to a (signed) root server and cacheing the result locally? The client software is available now on Windows to cache resolved IP addresses; memory is not a limitation; recursive, slow or badly configured servers are not a problem.
How many new addresses would I still be resolving after a few days of use?
Does someone have the numbers - has the number of dns packets resolved at some DNS servers been measured ? How many were repeat requests from the same client?
If the network load *is* an issue, add more signed DNS servers. A new version of BIND would bypass all unsigned DNS servers. There’s no need to force users to reconfigure their system. Promote the security, make the software available, (or distribute it with OS updates :-)
Colin
In spite of the claim in the article, there is a technical issue here, DNSSEC doesn’t support multiple roots; if it did that, then there would be no political issue, because everyone would get to win. The fact that the DNSSEC implementation and protocol *permits* political issues is a technical issue.
But I agree that DNSSEC only deals with one issue, but still, dealing with that issue is valuable anyway; for a secure system, you need to design and implement it well. A well designed, secure system has *no* issues, even political ones.
Lots of useful stuff here. One thing I would take issue with is the extraordinary statement that “the DNS is already relatively fragile”. Nothing could be further from the truth.
DNS can survive messages being lost, servers being down, inconsistencies in the database, rubbish queries and a plethora of other issues. It has successfully scaled to several orders of magnitude larger than originally envisioned.
I would argue that DNS is one of the most durable and resilient technologies out there and embodies several design principles that other protocols could learn a lot from.
@Ian:
DNSSEC does support multiple roots in the same way that DNS does. That is the whole point of DNSSEC - it secures the DNS tree from the root of that tree. If you create another tree then you get another root and you use a different set of keys. Simple.
What you appear to want is for DNSSEC to represent a different structure to the tree it secures and thereby allow for multiple roots. Which is of course what DLV does.
If we did have multiple DNSSEC roots then rather than everyone winning, nobody would win. How would a resolver find all those roots? What happens if one domain appears in two roots and they disagree on the keys, which one should the resolver trust?
But then that isn’t really DNS.
...except for the network effects associated with the current DNS, which make the likelihood of setting up an alternate tree (that actually gets used) highly improbable.
Adding a DNSSEC root key controlled by a single party raises those setup costs dramatically, and basically makes it impossible for alternative roots if the root key holder so chooses.
(For detailed info, see the “The keys to the Internet kingdom” comments of an IGP technical expert panel held last May - http://blog.internetgovernance.org/blog/_archives/2007/6/28/3053616.html)
Obviously, this a not such a problem to those who benefit most from the current DNS root regime. But it certainly does limit competition and innovation possibilities at the root.
Brenden,
I’m a bit confused. “Network effects” are generated by everyone using the same substrate, in this case the same namespace. DNSSEC merely allows people to validate the data in that namespace hasn’t been modified in transit. How does this validation have any influence on network effects? An alternate root would be a different name space. Whether or not the contents of that namespace can be verified is irrelevant to whether or not a “network effect” would exist. This can be empirically seen by the success (or lack thereof) of alternate roots in the DNSSEC-less world of today…
Regards,
-drc
@Brendan:
If you want to pursue the political objective of multiple roots or one root under distributed control then that’s your prerogative. But it is disingenuous to drag poor old DNSSEC into it as a pawn in that game.
DNSSEC does not dramatically raise the setup costs of an alternate root at all. Nor does it in any way make it impossible for alternate roots to function. If you want an alternate root then you can do it in an afternoon, root keys included.
DNS works a particular way and DNSSEC mirrors that. That’s all there is to it.
Alternate roots or distributed roots and all the politics associated with them are entirely orthogonal to DNSSEC.
Jay Daley said:
DNS as a whole is quite resilient. The components of the DNS, however, are quite fragile. As was recently noted when a human error 3 months ago caused ris.ripe.net to be unresolvable a couple of days ago for folks who had DNSSEC turned on, DNSSEC, like many security mechanisms, adds fragility to the individual components that make up DNS in the sense that what without DNSSEC would be ignored turns into a hard error when DNSSEC is turned on.
Actually, if you talk to Paul Mockapetris, I suspect he’d tell you that the DNS still hasn’t scaled to what he envisioned (particularly in terms of content).
Regards,
-drc
Jay:
The point of discussing multiple or competing roots in the context of DNSSEC is not necessarily to advocate splitting the DNS root. It is to demonstrate that there are economic, operational and political consequences inherent in the nature of the root signing process. Your own argument makes this clear.
You say
“What happens if one domain appears in two roots and they disagree on the keys, which one should the resolver trust?”
So thanks for making the point for us. Clearly, DNSSEC makes it more difficult to maintain compatibility among multiple roots. Under current, non-signed DNS, maintaining compatibility among different roots is easier; you simply incorporate the information in the legacy root zone into the alternate root zone. And the point of the network externality argument is that any new root will have to maintain compatibility with the legacy root to survive. So DNSSEC would appear to intensify the lock-in associated with DNS root.
That is not the only possible way in which DNSSEC has the potential for political consequences. There are others, such as liability issues, the processes for key rollover and security, and so on.
For technical people like Huston to insist that this transition has no governance consequences is simply irresponsible.
Jay Daley said:
“If you want to pursue the political objective of multiple roots or one root under distributed control then that’s your prerogative. But it is disingenuous to drag poor old DNSSEC into it as a pawn in that game.”
Poor old Jay, I used to think you were being disingenuous, but I now believe you are truly innocent when it comes to governance institutions and the relationship between technical systems and the distribution of political power.
We have already established that DNSSEC increases the costs of maintaining compatibility between roots. Even if you ignore the implications of your own technical analysis and refuse to accept that, we also know that new procedures will have to be created to generate and secure and roll over the keys. Those procedures are not just technical, they involve organizational and liability issues. So lawyers are going to be involved and the US Commerce dept is going to be involved.
Goeff Huston’s “brilliant” solution to this conundrum is to say, “let IANA do it.” Wow, I am really impressed. This to my mind is sort of like saying, when confronted with the problem of new TLDs in 1996, “let IANA do it.” Sounds nice. Worked for 15 years when the Internet was a closed club of techies. But it’s completely out of touch with reality today.
Let’s look a little deeper into what it means to “let IANA do it.” Who is IANA? Do you mean ICANN’s Board? ICANN’s “bottom up policy process?” SSAC? The US Department of Commerce? David Conrad?
Do you realize that if the current status quo is maintained, the signer of the root would be VeriSign, not IANA? So right there, you are talking about the need for an institutional change, and about politics and interest groups. “Letting IANA do it” means a relative shift of operational power from VeriSign to ICANN.
If letting IANA do it means letting David Conrad do it, do you think David will feel a little nervous about the liability issues associated with that responsibility? Don’t you think he wants a well-vetted process in place? And in designing these new processes and institutions, yes, I think it would be a good idea to seize any opportunities for making the power over the root a bit more distributed or accountable than it is now.
I repeat, whatever happens lawyers are going to be involved and the US Commerce dept is going to be involved and therefore politics—global politics—are involved. Let’s just be adults and accept that fact.
Perhaps I was a little indirect in the reason why I wrote this article about the number and quality of the Bad Ideas surrounding the use of DNSSEC in the root, and what I saw as the inane level of speculation on who should be included in the cast of thousands to have possession of a fraction of a bit of the root zone private key. What prompted me to writethis article was a paper by Milton that was published on his web site earlier this year. This paper argued along the lines of his comment here, namely advocating a cast of thousands as holders of bits of the private key on the basis that this is all about control of the root of the DNS, and that an approach to DNSSEC signing the root zone that simply places the zone signing capability in the hands of the zone administrator immediately triggers some home brewed conspiracy theory about the evil empire taking over this part of the universe or something similar. From my perspective this paranoid line of argument represents a good example of flawed reasoning of the worst order. It attempts to over-inflate the role of DNSSEC into some overarching change control mechanism that it’s just not. From my perspective I feel that advancing such arguments about why it is imperative that everyone gets a power of veto when signing the root of the DNS is indistinguishable from opportunistic political grandstanding, and it does the prospects of DNSSEC deployment no good whatsoever.
Who does, who should, and who should not have the ability to authorize changes to the root zone and the process of consultation and signoff for such changes may well be a fascintating topic, but to suppose that every administrative process of this form can and should be embodied into one form of security technology, no matter how inappropriate the match of the technology capabilites to the process in question, strikes me as an attitude that is hopelessly naive, and far removed from any form of rational and mature consideration of the topic that Milton is calling for in his comment.
Milton:
It is fairly apparent that you are confused about DNSSEC but it appears that you might be a tad confused about DNS as well. Let me explain:
When I said the following (which you took out of context):
then anyone who understands DNS would know immediately that I could have written:
and it still would have made perfect sense because DNSSEC mirrors the way DNS works.
Milton Mueller said:
This is the heart of the matter. Even before DNSSEC became a live issue, the management of the root already involved lawyers and the US Commerce dept and it was already global politics. DNSSEC has not changed that.
I make a heartfelt plea for you to leave DNSSEC alone. Leave it to those of who want a secure Internet to get on and implement it. DNSSEC will gradually fade into the background and be another of those things that just works.
If you have any point to make about root politics or those involved then you can make it just fine without invoking DNSSEC. In fact, it would probably make more sense.
>[The IGP] paper argued along the lines of his comment here, namely advocating a cast
> of thousands as holders of bits of the private key
The paper proposed distributing the key signing among three parties. Why would a reputable technical expert equate the number “3” as somehow close to “a cast of thousands”? Just exactly who is being “paranoid” and “overinflated” here?
>triggers some home brewed conspiracy theory about the evil empire
>taking over this part of the universe or something similar.
>From my perspective this paranoid line of argument represents a
>good example of flawed reasoning of the worst order.
Lots of rhetoric, not much substance here.
Let me ground the debate once again:
1) It was other governments and ccTLD mangers who first expressed concerns about DHS control of the root signing key. (If you don’t believe those concerns are real, then hey, let’s let Russia or China control the root signing key. Just a technical process, right? No political concerns whatsoever, right?)
2) Those concerns were supported by Paul Vixie and VeriSign’s chief scientist, not just by IGP
3) It is technically possible to distribute the root signing process in some way, and those methods were discussed early on in DNSSEC development; IGP simply revived those ideas.
4) We can have an intelligent debate about the costs and benefits of distributing the signing authority
5) We cannot have an intelligent debate if your response to the problem is to
i) deny that it is an issue at all
ii) hurl epithets at anyone who attempts to discuss it
iii) deliberately exaggerate or distort the nature of the proposals being made
>It attempts to over-inflate the role of DNSSEC into some
>overarching change control mechanism that it’s just not.
To be precise, we have never argued that DNSSEC is the lever by which Internet governance as a whole could be transformed. We simply said that, if possible, implementation choices for DNSSEC should and could avoid the kind of concentration of power that has already caused so much trouble.
The kind of overreaction we are getting from people like you only increases the paranoia level, and makes thoughtful people have second thoughts about what agenda is really being pursued here.
>indistinguishable from opportunistic political grandstanding, and it does the
> prospects of DNSSEC deployment no good whatsoever.
The most polite way to interpret your perorations on this topic is that you are concerned that the issues we are raising act as an obstacle to the deployment of DNSSEC. I have two responses to that.
First, if that is your argument, just say so, and don’t try to sell the public on false dichotomies between “political” and “technical” issues; don’t misrepresent distributing authority among three trusted nongovernmental entities as a “cast of thousands,” etc. Make an intelligent case that DNSSEC needs to be implemented NOW. Then we can have an debate about the costs and benefits of various DNSSEC implementation scenarios. Which leads to the second response.
What’s the rush to implement DNSSEC? If this controversy delays DNSSEC deployment, why is that a crime if the questions are real? I am not convinced, and a lot of others are not convinced, that the addition to security that DNSSEC yields is worth the costs and the political risks. Those unconvinced people include a lot of folks inside ICANN and IETF who won’t say so publicly but don’t buy the party line about its necessity and view it as an overly complex “propeller head” solution that will cause more trouble than it’s worth. Numerous parties have commented that it does not address the main security risks facing the internet. Registries with large zone files, notably VeriSign and DENIC, seem less than enthusiastic about it, although some, like Nominet, are. If you add to this shaky economic/technical case the governance implications of further hardening the centralization of control over the root, and you have at best a mixed case. Anything we implement now will get hardened into practice and won’t be changed for decades. So what’s the rush? That’s something that needs to be discussed, not driven off the table by the kind of fulminations you offered in your circle ID post.
IGP has attempted to foster intelligent and balanced discussion of this topic. Look at the composition of our IGF Workshop, which included IANA, Nominet, someone from the RIPE community, as well as DENIC, IGP, and someone from CGI.BR. Look at the composition of our May 2007 conference, which also brought together people from all sides, including NIST of the US government and VeriSign.
Geoff Huston said:
DNSSEC is supposed to deliver “security” of some sort as a product. To suppose that any security product can be fully described and evaluated on the basis of the technology that it employs strikes me as hopelessly naive, and far removed from any real understanding of what “security”, as such, entails. Yet, when you and others beg that political issues be set aside in the name of enabling this “security” technology, you project this kind of naivety in sharp relief.
The question of who should have the ability to authorise changes is not a technical question, it’s true. Such a question is posed as part of determining the requirements of the system, which should always come prior to the prescription of any particular technology as a solution. However, we have a situation where the system requirements have been framed on the basis of a de facto administrative structure, and the application of the solution will serve to ossify that administrative structure. It should, therefore, come as no surprise that those who are not satisfied with the current administrative structure are presenting this kind of opposition to the technology, despite whatever merits it may have.
DNS is a key part of the operation of the Internet, and its centrally controlled design makes it a political football. It’s naive to think that a high-level technology like DNSSEC can be discussed—let alone deployed—without reigniting the same old root-level differences of opinion. If you want to avoid the political issues, you’ll have to be satisfied with a solution on paper, like so many anti-spam “solutions” which take the form, “if only everyone did this, there wouldn’t be a problem.” It’s one thing to build a technology which serves a purpose; it’s quite another thing to build a technology which serves the people is supposed to serve in such a way that a critical mass will actually want it. The former is a technical matter; the latter political. It takes considerable cross-disciplinary skill to meet both these goals.
In short, my position on DNSSEC is that its time has not yet come. Maybe I’m wrong, but experience so far validates that position. If you can solve the governance issue so that enough people will want a cryptographically signed version of the system, then DNSSEC will be easy to design and deploy. Until then, it’s a case of premature optimisation. To add signatures to the DNS before people are happy with its administrative structure is to put the cart well in front of the horse. Simply telling people to stop whining about the administrative issues so that we can secure the system isn’t going to work.
There’s no guarantee that the governance issue can be solved, but there’s no point pushing DNSSEC until it is—unless you can somehow make it completely independent of governance.
Larry Seltzer has written a follow up story on eWeek:
DNSSEC Is Dead, Stick a Fork in It