The US Department of Homeland Security is pushing to get hold of the master keys for a proposed revision of the internet's domain name system. The shortcomings of the present DNS have been known for years but difficulties in devising a system that offers backward compatability while scaling to millions of nodes on the net have …
There is no valid reason for them to have the keys
They don't need the master key unless they want to change things, and they are not supposed to change things, so they shouldn't have the keys.
Take temptation out of their reach.
There is no reason to let USA decide which server resolves .cn .jp .uk or any other top level domain. They change almost never, and each zone could (and should) keep their own top level list separate from the US. It's basic security, you don't become reliant on one provider for anything.
Changes to top level domains should be approved by authorities in each zone. So should you wake up tomorrow and find .eu suddenly is resolved by a server in Yakima or Virginia, you can decide to reject that change of DNS and your internet zone continues normally.
Better to let changes propagate slowly rather than hand control to the fruit loops.
Course, we all know what will happen if they say no.....
The administration will jump up and down and scream "September 11" "Terrorist" and "Al Quedia" until the other side is forced to give in.
And it will work. Did every other time they tried it.
Think about what they could do with the master key
I don't know a lot about DNSSEC but wouldn't this allow them to do man in the middle type attacks on pretty much anyone?
And because the DNS responses would be signed with valid trusted certificates, more trust would be put in the responses making them less likely to be double checked.
Now all they need to do is serve a secret order for Root Keys on US based Certificate Authorities (if they haven't already) and they can easily listen in on pretty much any internet SSL traffic without us being any the wiser. The only time they would have problem is in b2b type situations where both ends validate certificates that have previously been exchanged.
RE: Think about what they could do
What they _could_ do? Haven't you been paying attention?
Of course, if you didn't do anything wrong (e.g. provide material support for terrorists or democrats) then what's there to worry about?
Uh, Remember WHO Invented The Internet, Folks!
The Internet was created by the United States as part of the military (DARPANET). While it has blossomed into a world-wide phenomenon, the vast majority of the system infrastructure was developed by the US Government. Considering the dangers of international terrorism, the flow of illegal funds, and the ability to commit fraud on a global scale, the NSA most likely should have those keys. As should MI6 and Japan's Naicho.
[The]"NSA most likely should have those keys. As should MI6 and Japan's Naicho."
Are you trolling or serious? By the same token, should we, the British, have sole control of iron bridges (as we invented them) in case anyone comes over them we don't like? Possibly in the tanks we also thought of? Props for namedropping the Japanese security service though.
DNSSEC has nothing to do with SSL!
Just because DNSSEC is about "Security", you've jumped to the conclusion that this has something to do with the US spying on you. These keys have nothing to do with encryption keys, just like your car key can't open the door to your house.
The point of DNSSEC is to assure that when you go to www.yourbank.com or www.yourcreditcard.com that you aren't at a spoofed site that's trying to steal your identity. It assures that the site's name was resolved through a trusted DNS server. That's it. Nothing more.
Having that key doesn't allow them to unencrypt SSL communications or any kind of coded communications. And the only thing they could do with it is to redirect an entire top-level-domain (.com, .org, etc.) and try to get that redirect to propagate throughout the entire Internet name servers. Do you seriously think that could happen without anyone noticing? And even if they did, what would it accomplish? What would be the point? And if they ever did try it, all an ISP would have to do is ignore the DNSSEC certificates. Everything would work exactly as it does now.
The Internet is what it is today because of not just the US's inventions, but also of it's largely hands-off attitude toward management. If you think the Internet would be better off with China, Brazil, Myanmar, or Zimbabwe managing it, good luck with that.
Beware gov't over-control
(with great thanks to J. R. R. T. ...)
One key to track them back
One key to find them
One key to route them out and
In the Darkness arrest them.
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Analysis Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster
- Review Vulture trails claw across Lenovo's touchy N20p Chromebook
- Adobe spies on readers: EVERY DRM page turn leaked to base over SSL
- Analysis The future health of the internet comes down to ONE simple question…