
Seven People Who Hold the Keys to Worldwide Internet Security - hornokplease
http://www.theguardian.com/technology/2014/feb/28/seven-people-keys-worldwide-internet-security-web
======
tptacek
Skimming this article, I couldn't tell if it was about DNSSEC or not. But if
these are DNSSEC keys, you can safely ignore this story; DNSSEC is a sideshow.
It's hopefully never going to see widespread deployment, and regardless of
whether it does, it isn't going to make a difference for your security.

I've written a bunch about DNSSEC on HN (and elsewhere) and won't preemptively
repeat myself. You might consider just taking my word for this.

~~~
minimax
Yes the author is apparently writing about "Root DNSSEC KSK Ceremony 16"

[http://data.iana.org/ksk-
ceremony/16/KC16_Scripts.pdf](http://data.iana.org/ksk-
ceremony/16/KC16_Scripts.pdf)

~~~
tptacek
The author has been fooled into writing a dramatic story about a total
nonevent.

~~~
TeMPOraL
s/fooled/paid/

Also, this is how non-events try to gain "importance".

------
nly
How did this article manage to not use the byte sequence 'DNSSEC' or mention
the fact that it's only deployed on a tiny % of domains under TLDs that
support it?

Reports like this just add to public misconception.

~~~
adrianb
This comment provided me with more information than the entire article. Would
you care to add more details on what the key cards are and what their power is
(the article seems to be stuck on "can they shut down the internet?")

------
davidu
This is really one of the worst kinds of stories. It's just not true, and not
only is it not true, it purports to cover DNSSEC as a technology that people
RELY or NEED, when in fact, DNSSEC adoption never gained traction, and
actually decreases every single day.

Someone spun some crazy PR for this one.

~~~
blibble
in the interests of transparency: parent's business (OpenDNS) will have severe
problems operating (replacing legitimate responses with spoofed ones) when
DNSSEC is adopted.

~~~
davidu
That's actually not true, not even a little bit. We've covered this before.
When the resolver issues a query, we can disable the DS bit and disable DNSSEC
for our customers. Alternatively, we can extend our DNSCrypt client to do
validation and rejection of malicious responses.

DNSSEC doesn't add security, nor does it prevent our business from operating
to the fullest extent.

~~~
mike-cardwell
You're playing the long game. If OS's end up locally verifying DNS responses
then you're out of business.

On the other hand, DNSCrypt is utterly useless and worthless. Wow, my ISP
can't see that I'm looking up "www.example.com", oh... but my ISP can see that
I am connecting to x.x.x.x on port 443 and sending "www.example.com" in the
SSL handshake because of SNI. So now, both my ISP _and_ OpenDNS (double the
third parties) can see that I'm connecting to www.example.com, even if I'm
using HTTPS. How exactly is this supposed to help my privacy?

DNSSEC and DNSCrypt both attempt do completely different things. DNSSEC is
_much_ better at doing what it is trying to do (even though it's far from
perfect) than DNSCrypt.

~~~
davidu
I am one of the biggest proponents of end-users running a full-blown resolver.
I've been on the record on this point. Like the OP, it sounds like you really
don't know what business we're in. Monetizing DNS with ads isn't our business,
and it hasn't been for more than four years.

~~~
mike-cardwell
Sounds like you really don't know how to read. I didn't mention ads once.

~~~
davidu
Okay -- Maybe I jumped to your conclusion erroneously. How is my business
impacted?

------
EGreg
Ok, centralization leads to silly things like this.

Namecoin is but one of many ways to decentralize DNS while even while having
one centralized registry.

------
gwu78
"We peaked at 12."

Peaked. And that probably includes the sysadmin who was required to watch it.

Where are the articles on the new ridiculous TLD's?

A while back the IP address for the FTP copy of the root.zone changed.

And sure enough, the file is now full of crap like .buzz, .house and .kitchen

I cannot even read through the whole zone anymore. It's too long.

There are some gems in there though. And some fool paid $185,000+ for each
one.

I have been running my own root for years and this is why.

Snip, snip. No more .buzz

Very easy to set up up your own custom root and to filter out the crap TLD's.
But, like with the ceremony in this article, some folks think that ICANN has
some sort of "authority" on how people use domain names.

Whole .com zone (=public information) fits on a USB stick.

And the HOSTS file remains as a failsafe, if you have to use someone else's
resolver.

And most of the entries in the com.zone are garbage anyway: parked names with
ads.

Imagine how many different domains the average user will visit in their
lifetime. It is but a small fraction of all the names registered.

But let's pretend ICANN is relevant.

God help us if ICANN should cease to exist.

~~~
ChristianBundy
How do you manage your own root?

~~~
gwu78
1\. Get copy of the file "root.zone" from ftp.internic.net

2\. Load it into tinydns or nsd. I have a sed script that translates BIND
format into tinydns format, but if you search you will find someone has
written one in C.

3\. Point your resolver at your root.

4\. Create or delete TLD's at will, not to mention many other benefits.

Running your own DNS gives lots of control. Most malicious or deceptive
practices that tarnish the internet rely on DNS. When you control your own,
you can neutralize a very large percentage of it.

Redirecting _.apple.com to your own httpd will show you just how bad this
company has gotten.

You can also redirect ad servers like _.doubleclick.net and voila, you will
have free apps with NO ADS.

~~~
dredmorbius
_Redirecting .apple.com to your own httpd will show you just how bad this
company has gotten._

Care to expand on that?

~~~
gwu78
I'm not going to rant about how Apple products make gratuitous network
connections to remote computers for questionable reasons. Nor the requests
that many AppStore apps send out over the open internet without telling you,
or how poor Apple's forced software has gotten in general.

That's why I've presented you with the experiment.

If you think you might care about such things, try it yourself and draw your
own conclusions.

If you use iOS, you might need this, just to get on your own home LAN:

/test/library/success.html <HTML><HEAD><TITLE>Success</TITLE></HEAD></HTML>

------
smutticus
It's ICANN, not Icann. This article is overly sensational.

~~~
matthewsimon
The Guardian's UK stylesheet calls for this treatment of acronyms that are
pronounced as a word -- people say "Icann", not "Eye See Aye En En" \-- which
does seem odd but may be acceptable as a regionalism.

~~~
akira2501
Some people make the following distinction: when pronounced as a word, it's an
acronym. If it's not, then it's an initialism.

~~~
T-hawk
Some take the distinction further: only if it forms an actual word, like
PATRIOT Act, is it an acronym. If it's pronounced but not a word, like NATO,
it's an abbreviation.

------
Diederich
I'm not a security expert, just an interested amateur.

Can someone explain how this step doesn't invalidate all of the hours of
ceremony and procedure?

"Later Okubo will transmit the key on a secure channel to Verisign and this
signed key will be made live across the internet."

~~~
Velox
Signing the key is the important part. Proving that the key was in fact
created by the people it was supposed to be. (I think they key does have to be
kept secure, which could be done by using a one time pad. Theoretically
unbreakable.)

~~~
Diederich
Right, that part I get. But isn't the security of the resultant key now left
entirely to Verisign?

~~~
tallanvor
I think that's why the key is only valid for 3 months.

------
jedberg
Doesn't revealing the identities of the key holders somewhat compromise the
system? Ot at least make it more vulnerable?

------
higherpurpose
I wish this story didn't read like a novel, and actually gave me the meat of
the information more quickly. I feel like the way the author told the story
diluted the importance of it.

~~~
PhantomGremlin
I agree with you, it's way way way too long. And overly dramatic. I gave up
reading pretty quickly.

However, judging by other comments here, I'm not sure there really was any
"importance" to "dilute". It's probably just a way for apparatchiks to justify
all-expense-paid vacations twice a year.

------
acd
Internet security is pwned by organisations powerful enough to hack into CAs
or simply buy one and run them as a covert operation impersonating any site
they want by issuing certificates trusted by all web browsers. Internet
security broken by design of centralization.

Thus if you have IP A you will get fake certificate generated by government
owned CA, if you have IP B you will get to the real site. If you are IP A you
will get pwned by MITM attack malware the site will look genuine to the
browser.

~~~
MichaelGG
Governments already directly own CAs.

The mitigation for the attack you outlined is that such attacks will be
detected, and the CA will get blacklisted. That may not actually work in the
real world.

------
bascule
In addition to everything else that's wrong with DNSSEC, using Shamir to share
a digital signature key is a silly idea. Multisignature trust systems /
threshold signatures provide the same functionality, but without having a
single secret that has to live on one computer at a single time. While I know
they did their due diligence to prevent the leak of the DNSSEC root key, it's
a problem they could've easily avoided by using an incredibly boring design
rather than a more "clever" one like Shamir. As things stand, there is
actually one key that could completely destroy DNSSEC and require the thing be
bootstrapped again from scratch.

------
IceyEC
"Once activated by the smartcards, this will produce a lengthy cryptographic
code. If dropped, or even knocked too hard, the machine will self-destruct."

------
gph
The first few paragraphs really overdramatize it. It makes it sound like the
internet would completely cease to exist if something happened to the root DNS
servers. It was so cheesy I just couldn't read anymore after that.

------
DavidWanjiru
Oh, like scylla in "Prison Break?

------
bitJericho
Reminds me of
[http://www.youtube.com/watch?v=iDbyYGrswtg](http://www.youtube.com/watch?v=iDbyYGrswtg)

