Cybereye | Should DHS get the keys to the kingdom?
- By William Jackson
- Apr 09, 2007
The Homeland Security Department has stirred up online controversy with its suggestion that the government should hold a master key for digitally signing the root zone of the Domain Name System under the DNS Security scheme.
DNS is the system that allows Internet users to transparently find the IP address associated with a domain name. It is not clear what difference it would make if the government holds a high-level key, given that the government ' which developed the Internet ' still exerts its quiet control over it through the Internet Corporation for Assigned Names and Numbers. And we're not talking about the keys for decrypting personal data. The DNS information we are talking about is transmitted in the clear. It's only a digital signature that is being used.
Maybe it dates back to the unfortunate idea of the Clipper Chip, which would have given the government a back door to everyone's encrypted data, but there has been a visceral reaction against putting any more keys into the government's hands.
Some of the objections are based on concerns about censorship or control. 'Not to get superpolitical here, but there is far too much going on as it is concerning what can be said, shown, viewed,' wrote one North American Network Operators Group e-mail list member.
Some of the concerns are more technical. 'Wouldn't the holder of these keys be the only ones able to spoof DNSSEC?' another list member wrote. 'I just don't see how adding another single point of failure to the DNS system, in the form of a master key, helps strengthen DNS overall.'
DNS is a building block of the Internet. Lists of domain names and associated IP addresses are maintained on a hierarchy of servers. Requests are referred up a chain until they reach a server where the requested domain information is found. But like the rest of the Internet, DNS was not designed with security in mind. False information can be placed in a DNS server, sending end users to fraudulent sites even with a legitimate URL.
DNSSEC is a set of extensions developed by the Internet Engineering Task Force for authenticating data returned from a DNS server, guaranteeing its integrity. It uses public-key infrastructure to digitally sign DNS server data so it can be verified by the client using a public key.
The issue of who holds signing keys has until recently been pretty much an academic one. DNSSEC has been around since 1999, but ' largely because of scalability problems ' it had been impractical to deploy until a revised version of the scheme was approved in 2006. DHS has a program to encourage the use of DNSSEC, but the Internet community has been slow to adopt it. A good part of the problem is the chicken-and-egg conundrum. DNSSEC has to be widely deployed before there is any advantage to it, and there is no incentive to deploying it if there is not an immediate advantage.
But that might be changing, with the U.S. government leading the way, as DNSSEC becomes a requirement under the Federal Information Security Management Act.
The National Institute of Standards and Technology last May released Special Publication 800-81, the 'Secure Domain Name System Deployment Guide.' One of the recommendations in the guide was to 'protect the ubiquitous DNS query-response transaction ... using digital signatures'as outlined in IETF's Domain Name System Security Extensions (DNSSEC) specification.'
That recommendation took on new force with the publication in December of Revision 1 of SP 800-53, 'Recommended Security Controls for Federal Information Systems,' which references SP 800-81 as a source of security controls. As NIST points out, 'agencies are expected to be in compliance with NIST security standards and guidelines within one year of the publication date unless otherwise directed' by NIST or the Office of Management and Budget.
So that means that, barring new instructions, FISMA requires deployment of DNSSEC on federal DNS servers by December 2007. That does not mean it will happen on schedule, of course. And most of the top-level DNS servers are run by industry, not government.
But DNS security is a hot topic, and U.S. government adoption could spur the adoption of these protocols throughout the Internet. In that case, the question of who holds which keys to what is likely to heat up.
William Jackson is a Maryland-based freelance writer.