The Politics of DNSSEC: The Light Begins to Dawn at IETF

We republish below an astounding post by VeriSign's DNS expert, Dr. Phillip Hallam-Baker, made on the IETF list. In it, he incisively describes the political implications of signing the root using DNSSEC, something we at IGP have been trying to do for about a year now. He also calls for sharing the signing authority, as IGP has also been doing. When we do this, we are sometimes accused of needlessly “politicizing” the issue. Wonder what they'll say now. Let's put Hallam-Baker on that IGF panel on “critical Internet resources” maybe, and see if his candor survives the glare of publicity?

– Begin post –
Subject: RE: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt
From: “Hallam-Baker, Phillip” Date: Thu, 30 Aug 2007 05:04:33 -0700

I think that some folk besides myself have to do some wargaming to consider what the political consequences of signing the root might be. Consider that this is an infrastructure which needs to be robust over a timescale of several decades if not centuries. Consider also the likelihood that whoever is in charge of the root might perform an action that some party might consider a defection over such an extended timescale.

For example, a small but vocal group of voters in the western southern peninsular of state A consider themselves to be political exiles from state B, an island in the vicinity of the peninsular. State A has a particular position of influence over the root and said voters lobby for the exclusion of state B. If such a thing were to happen today the result would be a temporary fracture of the root followed by the rapid emergence of an alternative root structure that was not subject to abusive influence from state A. The parties have authority but not power. If the root is signed by a unitary entity, that entity has absolute power. A defection cannot be countered by a fracture of the root. Today scope for defection is kept in balance by the lack of security. The root is ultimately defined by the location to which a particular network provider directs UDP packets with the root server IP address. After signing the root will be defined by the knowledge of the private key corresponding to the widely distributed embedded public key.

Consider the fact that Europe is currently planning to duplicate the GPS satelite system at a cost of several billion dollars despite the fact that the sole point in doing so is to prevent a similar defection on the part of the US. The idea that control of the DNS root will not be subjected to even more considerable geo-political pressure is naïve. In 1995 deployment could have taken place without attracting undue attention, that is not the case today.

So no, I don't think that there will be a unitary signer. The architecture is inherently flawed. Rather than have a single party sign the root we should probably look to a situation where there are multiple signer entities.

– End post –


8 comments

  1. Anonymous

    I guess there is a language ambiguity in the Hallam-Baker concluding remark:
    “Rather than have a single party sign the root we should probably look to a situation where there are multiple signer entities.”
    This could be either:
    a) alternate rootism, e.g. an ICANN-signed root and an ORSN-signed root (http://european.ch.orsn.net/) — the ORSN is just a convenient example, I don't know the status or any view on DNSSEC from their part
    b) shared ICANN oversight by multiple signer entities.
    I whish this ambiguity could be resolved, so the discussion can be correctly influenced by Hallam-Baker observations.
    Regards,
    – Thierry Moreau

  2. Anonymous

    The confusion here is probably comming from the fact that PHB is a security guy and he is using the term root to refer to root of trust which is not the same thing as DNS root.
    I would also suspect that he is talking about a situation where each participant choses their own root of trust to rely on.
    I would also predict that when he does come out with something it will consist of a rather short proposal that effectively turns the whole system on its ear. Well thats vision so good its scary for you.

  3. Anonymous

    Well, [anonymous] is referring to an alternative interpretation c) which I didn't want to suggest in my first message.
    If such is the case, Hallam-Baker concluding remark puts him in the bunch of commentators who don't like DNSSEC for various reasons, including its superimposition of secure delegations over the name hierarchy.
    Then what? Distaste of DNSSEC security model has little to do with the politics of deploying DNSSEC as it is designed.
    Regards,
    – Thierry Moreau

  4. Anonymous

    Thats not how I read his statement. When he calls attention to a structural flaw in a protocol it is usually because he wants to see if there is an opportunity to peddle his solution. Or maybe he wants to impress upon us all that this is a really, really hard problem before he puts his massive brain power to it.
    Can't see an application here for XKMS or SAML. So its probably something new.

  5. Anonymous

    I think this article is a bit naive. DNSSEC is, and should, only add digital signatures to whatever domain names that are created in the root zone. The key political process should be on what process defines the TLDs, and who are the registries.
    I have more about this in my blog post that comments on this article.

  6. Anonymous

    Thanks for pointing to this blog entry. You suggest DNSSEC deployment should not be subject to political debate. Great! I would like to be wrong, much like I would like to be wrong when I blame my teenager child for not cleaning up the mess in his bedroom.
    The way I see the politics intrusion in the DNSSEC deployment project is somehow reflected in the following four statements:
    (A) Stakeholder XYZ has political concerns about the current DNS root governance.
    (B) Stakeholder XYZ sees the configuration of DNSSEC trust anchors in resolvers as a strengthening of the causes of the political concern.
    (C) Those in charge in the current DNS governance arrangement feel a need to address stakeholder XYZ concern.
    (D) Those in charge in the current DNS governance arrangement have difficulties in bringing up a DNSSEC root trust anchor key ritual that would alleviate stakeholder XYZ concerns.
    Trying to understand your opinion, I suppose you would agree with (A) and (C) — indeed the DNS root is currently subject to political debate and the DOC-NTIA and ICANN must act with caution — and disagree with either (B) or (D) or both.
    If you disagree with (B), how do you convince every significant stakeholder XYZ that DNSSEC does not matter? Perhaps you can't and then disagree with (C); then I whish you a constructive debate over ICANN policy development.
    If you disagree with (D), then you can easily answer a few basic questions about trust anchor key management for the root:
    For how long should the unique DNS root trust anchor key be valid?
    What happens if those in charge of the private key experience a security breach prior to the above validity period?
    How does ICANN protects itself from the bad publicity likely to be caused be the above security breach? I.e. if you agree with (C), how should ICANN reply to the likely public outcry from stakeholder XYZ after a security breach?
    Thank you for reading these questions, they might allow some commentators, e.g. myself, to have a better understanding of your opinion. Definitely, a strong case for your view would facilitate DNSSEC deployment.
    – Thierry Moreau

  7. Anonymous

    The questions are of course all about what roles the different entities have, and wether people trust them (i.e. whether XYZ in your example trust the involved entities “just” doing what they should do.
    Regarding explaining that DNSSEC is “just” a technical tool, the more DNSSEC key management is close (for some definition of close) to the namespace management, the easier it will be to explain. And I claim the easier it will be to discuss the (as you point it out) “the root”.
    Disconnecting the trust anchor from the namespace root (the root zone) will just lead to even more discussions, and, I claim, a situation that is MUCH harder to manage and evaluate the risks with.
    Patrik Fältström

  8. Anonymous

    Dear Patrik:
    OK, I give it yet another shoot.
    Trying to summarize your point: everybody trusts IANA; IANA performs well; anyway if IANA does not perform as expected, just blame yourself for having trusted it; and perhaps even IANA fixes itself if it fails because they know how to.
    Two questions:
    Doesn't IANA become a focal point of accountability for operational mishaps? (The word accountability was cautiously omitted from my previous post.) Is it feasible at all for IANA itself to become like a *global* PKI CA once envisioned (i.e. before 2001)?
    Do you seriously believe the USG trusts IANA? You know these principles (“… United States … will therefore maintain its historic role in authorizing changes or modifications to the authoritative root zone file”) and the DHS/NIST/Sparta/Shinkuro study. According to these, DNSSEC close to the root means DNSSEC close to the USG.
    The legitimate opinion that DNSSEC is *just* digital signatures on DNS entries should be supported by more precise procedural guidance on deployment at the root. If it's so easy to apply the technology in a policy-deprived way, tell us how.
    Mueller and/or Hallam-Baker seem confused. How come the technical community failed to teach them how easy it is to deploy DNSSEC without falling into governance debates?
    – Thierry Moreau