VeriSign wants to share (a small part of) the DNSSEC keys
VeriSign, which operates two Domain Name System (DNS) root servers, is proposing that the operators of the 13 central root servers of the DNS should jointly control the master DNSSEC key to the root zone.
The DNS Security Extensions Protocol (DNSSEC) would use a public key process to detect fake responses to DNS queries. DNSSEC has been developed over decades as a countermeasure to IP address spoofing. For the last two years, a political dispute has been raging over who should hold the master key, the Key-Signing Key (KSK), for the signed root zone.
VeriSign's proposal picks up the idea – not new, but viewed positively by many technical experts – of sharing the KSK among a number of parties by giving part of the key to the twelve operators of the thirteen central root servers. New signatures for the root zone (the Zone Signing Key or ZSK) would have to be authorised by at least five of the twelve. If only three or four gave their approval, the new signing would fail. The ZSK would be valid for one year, the central KSK for several years.
VeriSign sees a great advantage in this distribution of authority. It would also address the fears of the international community, which has expressed strong reservations about the US Government wanting to keep hold of the master key. Brenden Kuerbis of the Internet Governance Project has already expressed doubts about the proposal. The group of Root Server Operators (RSOs), he points out, is not terribly international, given that nine of the twelve are based in the US. These include the US Army Research Lab, the US Defense Department's computing centres, and NASA's Ames Research Center. Under the present proposal by VeriSign, the US authorities would have direct or indirect access to the five keys required for a new signing. Kuerbis therefore calls for a rule to set a quota for international operators, to safeguard the international nature of the group.
According to VeriSign, key management would probably be exercised centrally. VeriSign's Data Center in Mountain View would generate not only keys and part-keys, but also the KSK and ZSK. VeriSign regards itself as the natural authority for the ZSK, since it manages the root zone. Nothing should change here, in VeriSign's view, and the US Department of Commerce (DoC) would continue to supervise the root zone. A takeover of KSK management would ensure greater security, argues VeriSign, since it would eliminate transfers of keys between different locations. A further argument put forward by VeriSign in favour of centralization at its data centre in Mountain View is that "no other operator is qualified with the same level of experience and secure facilities".
All the root server operators would have to physically attend the first "KSK signing ceremony", taking with them their PIN-protected green plastic part-keys. To prevent their having to return for the monthly ZSK renewals, a stock of ZSK keys would be created immediately. The vulnerability of the list to hacker attacks is just one of the questions left open.
The Department of Commerce only recently slapped the wrist of the Internet Corporation for Assigned Names and Numbers (ICANN) when it tried to take over the distribution of continuous root zone updates from VeriSign . When ICANN submitted its own proposal (PDF) for DNSSEC key management, the DoC prohibited its publication.