[Infowarrior] - Feds Start Moving on Net Security Hole

Richard Forno rforno at infowarrior.org
Thu Oct 9 01:25:33 UTC 2008 

Feds Start Moving on Net Security Hole
By Ryan Singel EmailOctober 08, 2008 | 8:05:21 PMCategories:  
Cybersecurity, Hacks and Cracks
http://blog.wired.com/27bstroke6/2008/10/feds-take-step.html

Starting Thursday morning, the U.S. government is seeking comment on  
who should create and vouch for the internet's most crucial document  
-- the root zone file -- that serves as the cornerstone of the system  
that lets users get to websites and emails find their way to inboxes.

The non-profit ICANN, the for-profit Verisign and the Commerce  
Department's National Telecommunications and Information  
Administration all have different answers to what is a long-standing,  
and geopolitically charged internet governance question.

But the only thing that matters for the security of the internet is  
the speed that they answer the question, according to domain-name  
system expert Paul Vixie.

"We've got to get the root signed, it does not matter by whom," Vixie  
said by e-mail. "It's necessary simply that it be done, by someone,  
and that we stop anyone from arguing about whether letting someone  
hold the root key would make them king."

At issue is a massive net security hole that security researcher Dan  
Kaminsky discovered in early 2008 that was temporarily patched in  
July. If not given a complete fix soon, the vulnerability could allow  
so much net fraud that it would strip all trust from the internet  
users that any website they were visiting is the genuine article,  
experts say.

The only known complete fix is DNSSEC -- a set of security extensions  
for name servers. (That said, there are other effective defenses and  
OpenDNS, for one, protects users now.)

Those extensions cryptographically sign DNS records, ensuring their  
authenticity like a wax seal on an letter. The push for DNSSEC has  
been ramping up over the last few years, with four regions --  
including Sweden (.se) and Puerto Rico (.pr) -- already securing their  
own domains with DNSSEC. Four of the largest top-level domains  
-- .org, .gov, .uk and .mil, are not far behind, while the entire U.S.  
government will comply for its websites starting in January 2009.

But because DNS servers work in a giant hierarchy, deploying DNSSEC  
successfully also requires having someone trustworthy sign the so- 
called "root file" with a public-private key. Otherwise, an attacker  
can undermine the entire system at the root level, like a criminal  
having taken over control of the Supreme Court justices.

With a properly signed root file, your browser can repeatedly ask,  
"How do I know this is the real answer?", until the question reaches  
the root file, which says, "Because I vouch for it."

Bill Woodcock, one of the net's foremost experts on network security,  
blasted the NTIA earlier this summer for moving too slowly on DNSSEC,  
while the government protested that it was moving at the right speed.

"If the root isn't signed, then no amount of work that responsible  
individuals and companies do to protect their domains will be  
effective," Woodcock said in July. "You have to follow the chain of  
signatures down from the root to the top-level domain to the user's  
domain. If all three pieces aren't there, the user isn't protected."

On Tuesday, NTIA's Acting Assistant Secretary Meredith Baker told  
international net leaders that it was opening comment on DNSSEC and  
root zone signing this week.

"In light of existing and emerging threats, the time is ripe to  
consider long-term solutions, such as DNSSEC," Baker said. "As we  
consider deployment of DNSSEC, particularly at the root zone level, it  
is critical that all the interested stakeholders have the opportunity  
to express their views on the matter, as deployment of DNSSEC would  
represent one of the most significant changes to the DNS  
infrastructure since its inception."

That's where the politics comes in. The DNS root is controlled by the  
NTIA, which divides the responsibility for the creation, editing and  
distribution of the root file between itself, ICANN and the for-profit  
Verisign, which runs the .com domain.

Currently companies that manage top-level domains like .com submit  
changes to ICANN, which then sends them to NTIA for approval, before  
they're forwarded to VeriSign. VeriSign actually edits the root file  
and publishes it to the 13 root servers around the world.

Now in a previously unpublished draft (.pdf) of the final proposal  
given to the government (.pdf), ICANN says its best qualified for the  
root signing job and proposes to take over the job of approving the  
changes, editing the root file, and signing it, then handing it off to  
VeriSign for trusted distribution.

But changing that system could be perceived as reducing U.S. control  
over the net -- a touchy geopolitical issue. ICANN is often considered  
by Washington politicians to be akin to the United Nations.

VeriSign, often criticized for trying to exercise too much control  
over the net, counter-proposes that its role be enlarged. Under its  
proposal (.pdf), the root zone file will be signed using keys it  
distributes to the root server operators and if enough of them sign  
the file, then it is considered official.

The root-zone file, which contains entries for the 300 or so top-level  
domains such as .gov and .com, changes almost every day, but the  
number of changes to the file will likely increase radically in the  
near future, since ICANN decided in June to allow an explosion of new  
top-level domain names.

Verisign and the NTIA declined to comment ahead of the proceedings,  
while ICANN did not return a call for comment.

Public comments will be taken on the Notice of Inquiry that will be  
published Thursday morning on the NTIA's website.

More information about the Infowarrior mailing list