Ill-advised stampede to deploy DNSSEC at the root?

Lost in the media excitement surrounding the Kaminsky variant cache poisoning attack and ongoing frenzy to patch vulnerable recursive nameservers, the calls for DNSSEC as the only complete solution to similar attacks and the accusations by the technical community that the DoC was dragging its feet in approving root signing, and the order issued by the OMB to deploy DNSSEC in gov by January 2009, was this letter last week from ICANN to NTIA regarding their intention to submit a detailed proposal concerning signing the root to the Department this month.

In it, ICANN argued that “full deployment of DNSSEC would be a solution to these vulnerabilities” and that “the first step in attaining this solution is making specific plans for, then implementing DNSSEC at the root level.” While you won’t find much disagreement among the technical community on the first issue (although there is plenty of work occurring on easier to implement, but temporary fixes), it should be obvious that the second assertion is debatable. Simply put, if the root were signed tomorrow, the vast majority of the DNS would still be unsecure for a long time to come. Numerous improvements would still need to be undertaken by registries, registrars, ISPs, and software providers to achieve a globally meaningful secure DNS. Sure signing the root could provide a signal to the market to begin deploying, but in no way is it a required “first step.” There is a massive amount of work still to be done.

And besides, there are temporary, completely feasible alternatives to signing the root that would achieve the same goal. For instance, an IANA-run ITAR. Such a solution would similarly signal the market to begin DNSSEC deployment activities, but would avoid further strengthening of the DNS bottleneck while the appropriate technical and political solutions for distributing signing authority can be found.

Comments are closed.