Feds start moving on net security hole
Starting Thursday morning, the U.S. government is seeking comment on who should create and vouch for the internet's most crucial document -- the root zone file -- that serves as the cornerstone of the system that lets users get to websites and emails find their way to inboxes.
The non-profit ICANN, the for-profit Verisign and the Commerce Department's National Telecommunications and Information Administration all have different answers to what is a long-standing, and geopolitically charged internet governance question.
But the only thing that matters for the security of the internet is the speed that they answer the question, according to domain-name system expert Paul Vixie.
"We've got to get the root signed, it does not matter by whom," Vixie said by e-mail. "It's necessary simply that it be done, by someone, and that we stop anyone from arguing about whether letting someone hold the root key would make them king."
At issue is a massive net security hole that security researcher Dan Kaminsky discovered in early 2008 that was temporarily patched in July. If not given a complete fix soon, the vulnerability could allow so much net fraud that it would strip all trust from the internet users that any website they were visiting is the genuine article, experts say.
The only known complete fix is DNSSEC -- a set of security extensions for name servers. (That said, there are other effective defenses and OpenDNS, for one, protects users now.)
Those extensions cryptographically sign DNS records, ensuring their authenticity like a wax seal on an letter. The push for DNSSEC has been ramping up over the last few years, with four regions -- including Sweden (.se) and Puerto Rico (.pr) -- already securing their own domains with DNSSEC. Four of the largest top-level domains -- .org, .gov, .uk and .mil, are not far behind, while the entire U.S. government will comply for its websites starting in January 2009.
But because DNS servers work in a giant hierarchy, deploying DNSSEC successfully also requires having someone trustworthy sign the so-called "root file" with a public-private key. Otherwise, an attacker can undermine the entire system at the root level, like a criminal having taken over control of the Supreme Court justices.
With a properly signed root file, your browser can repeatedly ask, "How do I know this is the real answer?", until the question reaches the root file, which says, "Because I vouch for it."
Bill Woodcock, one of the net's foremost experts on network security, blasted the NTIA earlier this summer for moving too slowly on DNSSEC, while the government protested that it was moving at the right speed.
"If the root isn't signed, then no amount of work that responsible individuals and companies do to protect their domains will be effective," Woodcock said in July. "You have to follow the chain of signatures down from the root to the top-level domain to the user's domain. If all three pieces aren't there, the user isn't protected."
On Tuesday, NTIA's Acting Assistant Secretary Meredith Baker told international net leaders that it was opening comment on DNSSEC and root zone signing this week.
"In light of existing and emerging threats, the time is ripe to consider long-term solutions, such as DNSSEC," Baker said. "As we consider deployment of DNSSEC, particularly at the root zone level, it is critical that all the interested stakeholders have the opportunity to express their views on the matter, as deployment of DNSSEC would represent one of the most significant changes to the DNS infrastructure since its inception."
That's where the politics comes in. The DNS root is controlled by the NTIA, which divides the responsibility for the creation, editing and distribution of the root file between itself, ICANN and the for-profit Verisign, which runs the .com domain.
Currently companies that manage top-level domains like .com submit changes to ICANN, which then sends them to NTIA for approval, before they're forwarded to VeriSign. VeriSign actually edits the root file and publishes it to the 13 root servers around the world.
Now in a previously unpublished draft (.pdf) of the final proposal given to the government (.pdf), ICANN says its best qualified for the root signing job and proposes to take over the job of approving the changes, editing the root file, and signing it, then handing it off to VeriSign for trusted distribution.
But changing that system could be perceived as reducing U.S. control over the net -- a touchy geopolitical issue. ICANN is often considered by Washington politicians to be akin to the United Nations.
VeriSign, often criticized for trying to exercise too much control over the net, counter-proposes that its role be enlarged. Under its proposal (.pdf), the root zone file will be signed using keys it distributes to the root server operators and if enough of them sign the file, then it is considered official.
The root-zone file, which contains entries for the 300 or so top-level domains such as .gov and .com, changes almost every day, but the number of changes to the file will likely increase radically in the near future, since ICANN decided in June to allow an explosion of new top-level domain names.
Verisign and the NTIA declined to comment ahead of the proceedings, while ICANN did not return a call for comment.
Public comments will be taken on the Notice of Inquiry that will be published Thursday morning on the NTIA's website.