Computer Wire story on DNSSEC Deployment

[Steve Crocker]

Folks,

I'm sending this from the ICANN meeting in Argentina.

We had an extremely productive three hour public presentation at ICANN
on Tuesday morning.  We also made more specialized presentations to the
Governmental Advisory Committee, to the gTLD Registry of the GNSO, and
well in the Public Forum yesterday afternoon.  (You gotta love the
endless level of acronyms in the ICANN world.)  A lot of people put a
lot of work into the whole thing.  I'm particularly grateful to Allison
for her handling of the organization of the large session.

This was a very successful effort.  It was well received and it educated
a substantial number of people.  I think it was particularly successful
in putting DNSSEC into the minds of government and industry executives
who have not been following DNSSEC and wouldn't have otherwise paid
attention.  That is, this was a vital piece of consciousness-raising.
We'll need much more of this, and we've already staked out similar
workshops at the ICANN meetings in Luxembourg in mid July and in
Vancouver in late November.

I spent a half an hour with a reporter, Kevin Murphy, yesterday
afternoon.  He wrote a fairly lengthy story in Computer Business Review
Online.  The story is at

http://www.cbronline.com/article_news.asp?guid=C40AB871-6F2B-4566-96EE-A4D7E079D5A0

I think the story is basically good news for us, but it does have some
unfortunate and unintended aspects.  Suzanne commented privately:

          It sounds like ICANN, DHS, and the rootops have announced they
          are teaming up to save the DNS. Some, uh, nuance seems to have
          been lost.

          I've already gotten one "WTF?" type question. I'm sure I'll get
          more, as you will. What would you like for me to say?

I must admin I cringed at several points.  My comments on the specific
story points are embedded inline, flagged by "SDC:" in the copy of the
story below.

We should prepare some background material for the press that takes care
of these problems.  Suggestions are hereby solicited.

Thanks,


Steve


ICANN-backed project pushes DNS security
Email article to a friend

A project to roll out security to the internet's domain name system,
backed by ICANN and the US Department of Homeland Security, was launched
this week here at ICANN's weeklong meeting in Mar Del Plata, Argentina.

SDC: Multiple details are not quite right here.  The project wasn't
launched here.  The project has much broader backing than just U.S.
Homeland Security and ICANN.  ICANN's backing and DHS's backing are
qualitatively different.  DHS's involves money.  ICANN's involves a
committment to have it implemented.  The implications and cast are
probably irritating to folks in the technical community who have been
working on DNS Security for many years, and this is also probably
irritating to people outside the U.S.  I definitely tried to explain the
history and breadth of the effort.  I think this is the lead he felt
would get his readers attention.  I regret the result and apologize, but
I doubt there's any serious damage.

Steve Crocker, who is heading up the DNSSec Deployment Initiative with
funding from the DHS, told ComputerWire yesterday he expects DNSSec
support will be added to the internet's DNS root server system towards
the end of this year.

SDC: I tried to include Russ and Sparta.  Didn't take.

Fresh from an apparently successful meeting with ICANN staff and root
server operators, Crocker said some agreement had been reached. He said:
"We're not going to do it piecemeal, we've got to do it all together or
not at all."

SDC: This creates two misimpressions.  First, there wasn't any closed
door meeting this week where an agreement was reached, nor did I say we
have to do it all at once.  I did try to explain that getting the root
signed would simplify the coordination and reduce the fragmentation, and
I did say the root system server operators have estimated they can be
ready by the end of the year.

DNSSec is a set of extensions to the age-old DNS standards that is
designed to prevent domain names being hijacked by malicious hackers, by
adding a cryptographic signature check requirement to each DNS lookup

Lack of DNS authentication could lead to attacks such as corporate
espionage, and may not be a theoretical problem, Crocker said. "You
never know how big a threat it is," he said. "I think it's doable, but
we have no information on whether it's being done."

The DNS is hierarchical. When a browser looks up a web page,
www.computerwire.com for example, it needs the IP address associated
with the URL. If it cannot find it at the local DNS server, that server
asks the root for a pointer.

The root points to a name server at VeriSign, which the root knows runs
.com. VeriSign's server passes it on to ComputerWire, which it knows
runs computerwire.com, and ComputerWire passes the request on to its web
server, www.computerwire.com.

"Anywhere along that path, you could be given misinformation by a badly
configured system, or an intruder, that causes your traffic to be
directed to a different site," Crocker said.

This so-called "man in the middle attack" could mean a hacker could
intercept and read your email, web browser requests, or any other
internet traffic that uses domain names to locate servers. The victim
would usually be none-the-wiser.

SDC: For the uninitiated, this appears to define "man-in-the-middle
attack" as this attack on DNS as opposed to general method of attacking
a wide range of systems which operate over a network.

DNSSec is designed to solve this problem by requiring each stage of the
DNS lookup to be authenticated using a cryptographic key. A company with
a .com address would be authenticated by the .com servers, and the .com
servers would be authenticated by the root. The root would be
authenticated using a public key.

SDC: He's using "public key" to refer to the (public part) of the root
key in the sense that this is the key that's distributed to the public.

It's the decision to publish those public keys and support DNSSec at the
root, that appears to have been reached this week at the ICANN meeting,
where all the big players from the DNS space are gathered for a five-day
tetes-a-tetes.

SDC: Ulp.  This was either invented or inferred.  I surely didn't try to
say this.

But that's not even half the challenge. Crocker said that the top-level
domain operators, such as VeriSign, also need to start supporting
DNSSec, as do makers of applications such as browsers, operating systems
and email software.

The operators of the Swedish and Dutch TLD registries, .se and .nl, will
"almost certainly be the first" to support the protocols, Crocker said.
These are relatively small domains, where the cost and complexity of
rolling out DNSSec will be relatively modest.

SDC: Sounds like .nl and .se are tiny.   Didn't mean to have it come
across that way.  Wanted to give them credit and give a short, plausible
story as to why they would be first.  Any suggestions on how to do this
better next time?

VeriSign, on the other hand, is said to manage over 80% of the world's
domains, and would have a lot more work. Pat Kane, head of .com/.net
data at VeriSign, said that adding DNSSec support would triple the size
of its registry zone files.

Kane said that he expects the cost to the VeriSign registry of rolling
out DNSSec across the whole of the .com and .net domains would be $5m in
the first year. At the same time, there's no real business model
associated with the technology, yet.

SDC: A price tag of $5M might seem large to some readers and quite small
to other readers.  As noted, this came from Pat Kane, not me.

"Registries and registrars have to balance market demand with technical
needs. There's no proof today there's a market demand for DNSSec," he
said during a public meeting on the subject here in Argentina. "Where is
the revenue?"

VeriSign does appear to be committed to DNSSec, however. The specs have
been under development with VeriSign's assistance, for 12 years, and
VeriSign has been running pilot and test-bed projects for over four years.

SDC: "With VeriSign's assistance" and a few hundred others.

There may be a market for DNSSec as a value-added service. Many
companies could be happy to pay an extra fee each year for a domain to
protect their sites against man-in-the-middle attacks. But the threat is
little known.

"We don't have a reference event," said VeriSign's Kane, alluding to the
1989 Exxon Valdez disaster, and how it reformed the way oil spills were
treated. Without a CNN headline talking about DNS insecurity, there's no
demand yet.

"That's a good thing and a bad thing," he said. "It's good because we
don't have that event, it's bad because we don't have the motivation
across the entire community."

The DNSSec Deployment Initiative is being managed by Crocker's company,
Shinkuro Inc, with funding from the DHS. DNSSec deployment is one of the
few hard technical goals outlined in the US government's National
Strategy to Secure Cyberspace.

SDC: This completely leaves out Russ and Sparta.

Crocker is also head of ICANN's Security and Stability Advisory
Committee. ICANN is tasked with ensuring the stability of the DNS.
Crocker said: "This is bigger than ICANN, but ICANN has a strong, vital,
pivotal role".