DNSSEC to be strangled at birth.

Hagai Bar-El info at hbarel.com
Fri Apr 6 11:48:35 EDT 2007 

Hello,

On 04/04/07 19:51, Dave Korn wrote:
>   The DHS has "requested the master key for the DNS root zone."
> 
> http://www.heise.de/english/newsticker/news/87655
> http://www.theregister.co.uk/2007/04/03/dns_master_key_controversy/
> http://yro.slashdot.org/article.pl?sid=07/03/31/1725221
> 
>   Can anyone seriously imagine countries like Iran or China signing up to a
> system that places complete control, surveillance and falsification
> capabilities in the hands of the US' military intelligence?  I could see some
> (but probably not even all) of the European nations accepting the move at face
> value and believing whatever assurances of safeguards the DHS might offer, but
> the rest of the world....?  No way.
> 
>   Surely if this goes ahead, it will mean that DNSSEC is doomed to widespread
> non-acceptance.  And unless it's used everywhere, there's very little point
> having it at all.


I guess it's mostly a matter of the expectations that non-US nations
have from DNSSEC in the first place.

If I understand this correctly, the situation as it would be once DHS
has the keys will be no different than what it is today. The US will be
able to spoof DNS responses that are resolved within its cloud. To forge
a DNS response you need not only to be able to sign as a DNS server, but
you also need to be (on the path of) the DNS server that is asked. This
is not different than the situation as it is today, and non-US countries
still use the Internet.

The question is whether or not these non-US countries ever expected
DNSSEC to solve their problems with US national surveillance. I have no
facts, but I believe that they never did. After all, there is some
master key somewhere and this master key is kept by someone (I am not
sure if key splitting was ever considered). As far as national
intelligence is concerned, there is no difference between having the
keys held by a ".org" or by a ".gov". The keys are in some nation's
jurisdiction and are thus subject to subpoenas that are enabled by some
government with its own legal system that the community has no control
over. Be it the US, or the EU, or anyone else.

DNSSEC, I think, comes to solve the problem of hackers who fake DNS
responses to phish for your credit card details; not against national
espionage. And; If you don't expect -- you are not disappointed...

Hagai.


-- 
Hagai Bar-El - Information Security Analyst
T/F: 972-8-9354152 Web: www.hbarel.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list