DHS wants DNSSEC keys -- so what?

  2007-04-05

DHS wants DNSSEC keys -- so what?

  21:43, by Hagai Bar-El   , 369 words
Categories: Security Policies

The Department of Homeland Security (DHS) wants to have the root master keys of DNSSEC. This will allow them to fake DNS responses at will. Read all about it at:

Homeland Security grabs for net's master keys
Department of Homeland and Security wants master key for DNS

It caused quite a lot of fuss. I agree with the political feeling of discomfort, but I somehow cannot understand the threat that some people attribute to this.

It is believed that non-US countries will find this move unacceptable, because it will make the US agency capable of falsifying DNS responses, as part of national espionage.

I guess it's mostly a matter of the expectations that non-US nations have from DNSSEC in the first place.

If I understand this correctly, the situation as it would be once DHS has the keys will be no different than what it is today. The US will be able to spoof DNS responses that are resolved within its cloud. To forge a DNS response you need not only to be able to sign as a DNS server, but you also need to be (on the path of) the DNS server that is asked. This is not different than the situation as it is today, and non-US countries still use the Internet.

The question is whether or not these non-US countries ever expected DNSSEC to solve their problems with US national surveillance. I have no facts, but I believe that they never did. After all, there is some master key somewhere and this master key is kept by someone (I am not sure if key splitting was ever considered). As far as national intelligence is concerned, there is no difference between having the keys held by a ".org" or by a ".gov". The keys are in some nation's jurisdiction and are thus subject to subpoenas that are enabled by some government with its own legal system that the community has no control over. Be it the US, or the EU, or anyone else.

DNSSEC, I think, comes to solve the problem of hackers who fake DNS responses to phish for your credit card details; not against national espionage. And; If you don't expect — you are not disappointed...

No feedback yet


Form is loading...