Homeland Security Department was warned about DNSSEC key ownership and trust issues

A consulting group (DNK LLC) report to the U.S. Department of Homeland Security stated clearly that the problems of who would own the DNSSEC keys and mistrust of the U.S. government's intentions could be barriers to DNSSEC deployment. While the August 2006 report covers developments only from March 2005 to July 2006, it makes two important points that are relevant and timely today. First it makes clear, if it weren't already, that the issue of root signing and key management has been recognized as a political issue for long time. It also offers some interesting insights on how DHS has approached the politics of DNSSEC and Internet security.

In developing the government's message about DNSSEC, DNK clearly identified barriers to adoption across several relevant interest groups, including the Internet community, the private sector, other governments and public sector actors, consumers/end users, and the media. Tellingly, “ownership of DNSSEC keys and registration” and “trust in government's [i.e., the USG] intention” were specifically identified as potential tripping points across many of the groups.

DNK Report

What makes the report so amazing is the clear recognition that DNSSEC, and particularly adoption at the root, is political. And despite the identification of this, and the increasing tension over US control of critical Internet resources expressed in the last two IGFs, it is likely that DHS ignored this advice and responded by issuing a draft root signing technical specification in November 2006 to a small group of technical experts in government, academia, and key Internet governance and infrastructure organizations. The group members were all traditional allies that the US looks to in efforts surrounding Internet governance. However, this limited effort at building consensus about a procedure to digitally sign a critical component of the global Internet came up short. By the ICANN meeting in March 2007, word of the specification got out to organizations in countries not on the distribution list. Concerns were voiced publicly in Lisbon, and the "DHS wants the keys" story, despite being based largely on perception, had legs.

DNSSEC and politics of core Internet standards

For those who doubt the politicization of DNSSEC and other core Internet standards, the report provides a detailed description of how it came about. The Program Manager for the Cyber Security R&D Center in the DHS Science and Technology Directorate specifically asked for DNK's assistance in raising the level of awareness in the U.S. Congress about the Homeland Security Advanced Research Project Agency’s (HS-ARPA) cyber security research efforts. To support this activity, DNK explained in a letter to the Cyber Security Industry Association (CISA) how HS-ARPA had funded DNSSEC R&D activity, including some involved in IETF activities, and was now involved in transitioning the technology from research and development to adoption. DNK developed language about mandating DNSSEC in federal government information systems by the end of 2007, which it passed to the lobbying arm of CISA for inclusion in proposed Congressional legislation combating identity theft and phishing. However, this legislation was later dropped. (Nonetheless, a partial requirement was later issued in FIPS 800-53.) DNK also recommended building relationships with various members of Congress serving on the Committee on Homeland Security and their staffers.

Over the last year, this seems to have been somewhat more successful, as both the Program Manager and the Undersecretary of DHS’s Science and Technology Directorate testified before the committee outlining its pursuits and proposed budget. The testimony included references to DHS’s DNSSEC promotion activities and its work with ARIN to develop and deploy a Public Key Infrastructure that would facilitate digitally signing Internet Service providers’ advertised routes (pg. 51). The testimony to the Emerging Threats, Cybersecurity, and Science and Technology Subcommittee was received favorably; with one of its members commenting that there was not enough investment in R&D for cyber security in the S&T Directorate. This should be welcome news for US based contractors and grantees working in this area. And with DHS Secretary Chertoff’s end of year report recently promoting cyber security as an area the department’s agenda will focus on in 2008, the politics are only beginning.

Government and technical standards

To anyone who studies technical standards development, the fact that DHS is involved in DNSSEC is not all that shocking. In fact, there is often a needed role for governments in research and development of new technologies (think of the early Internet). But there also is a long history of governments seeking to influence technical standards in order to protect domestic industry, enhance their own power, or achieve economic gain. What makes the case of DNSSEC and DHS’s tinkering with the security of other core Internet standards (like securing protocols for routing infrastructure (i.e., DHS's SPRI effort)) interesting is the widely held belief that the activities of key Internet infrastructure organizations like IETF and ARIN are led entirely by private sector interests. Couple this with the fact that the Internet's core infrastructure is transnational in nature and supports a global economy, and it's no wonder that many Internet stakeholders are concerned about DNSSEC.

2 comments

  1. Anonymous

    Hi Brenden,
    Good catch with this report. I just read it and here are my observations:
    – The report contents is basically sound, even when reading it 18 months after publication.
    – Despite your attention to the (correctly identified) political barriers to DNSSEC adoption at the DNS core, this is only a very small portion of the report contents.
    – This is clearly a USG-centric consulting assignment, but it is at arm's length with the DOC relationship with ICANN. I.e. the report deals mainly with the DHS role, NIST involvement, TLD operations for .gov, .us, .mil. So please, don't take this report as an argument for scepticism about actual Internet governance by the USG — if anything, the report hints that DOC decisions would be actually free from DHS interference.
    – If USG-sponsored organizations contribued in the DNSSEC protocol development, there isn't any slightest clue (in the report, in the RFC contents, or elsewhere) that such contributions impaired the technical merits of the protocol.
    So far, the only agreed-upon rationale for scepticism about the USG Internet governance with respect to DNS is that “the United States […] will therefore maintain its historic role in authorizing changes or modifications to the authoritative root zone file.” ( http://www.ntia.doc.gov/ntiahome/domainname/USDNSprinciples_06302005.htm )
    – Thierry Moreau