IETF committee calls for a simple system for DNS security
The Internet Architecture Board (IAB), the central committee of the Internet Engineering Task Force (IETF, a standards organisation), is calling for a simple system for signing the DNS root zone, and for the interest groups of the Internet Corporation for Assigned Names and Numbers (ICANN) to be given a say in a number of operational questions. That would give the ICANN community an influence on, say, the continuous rollover of keys for signing the root zone. The IAB makes these requests in its feedback to a Notice of Inquiry from the US National Telecommunications and Information Agency (NTIA). It also calls for caution: "Care should be taken that DNSSEC deployment remains about data, integrity, and authenticity, and not about control."
The way the root zone should be signed has been a topic of serious debate for almost two years. This is the IAB's feedback in response to a Notice of Inquiry from the NTIA regarding "Enhancing the Security and Stability of the Internet's Domain Name And Addressing System" with DNSSEC. The IAB writes that the IETF's DNS Security Extension (DNSSEC) protocol "is the only standards-track mechanism to prevent corruption and replacement of the DNS data on its path through the Internet" (See also: RFC 4033 DNS Security Introduction and Requirements). If correctly implemented, therefore, the protocol could ensure more trust in the network. The IAB believes in particular that phishing attacks and the vulnerabilities discovered by Dan Kaminsky can be prevented.
Even if all zones or even individual domains were not signed, it argues, signing particularly sensitive zones such as those in the financial and banking sector could achieve a great deal. On the other hand, they warn that introducing the extremely complex protocol, which tests the authenticity of responses to DNS requests on the basis of a public/private key process, without good planning could make the system more fragile.
The main architectural proposal by the IAB is the linking of zone updates and zone signing, which, it says, would avoid the need for unsigned zone or key data to be sent over the network, this in turn requiring a mechanism to secure these data transfers. The IAB is thus contradicting notions of separating zone signing and key generation. It says the dispute over roles in the administration of the root zone should be settled separately, in years to come.
The IAB document is among a list of almost twenty responses to the NTIA. These include specific suggestions for a transmission of the key signing key (KSK, the master key) to IANA or to the root zone operators. The response from the WIK warns against neglecting economic aspects, while AT&T asks sceptically whether the cost of the system can be justified in view of the observed fact that, when in doubt, users will skip security advisories if they want to reach a specific address on the network. The cutoff date for further feedback is 24 November.
- DNSSEC moves forward a little
- IP address management group recommends fast introduction of DNS Security
- VeriSign wants to share (a small part of) the DNSSEC keys
- The US to implement DNSSEC in all federal offices
- Is DNSSEC the way to go?