Archive for July, 2010

DNSSEC doesn’t typically spur flights of fancy.  But this week, trusted key representatives–individuals selected to hold parts of the DNSSEC root key during recent key signing key ceremonies held by ICANN in preparation for signing the root zone–have sparked the imaginations of both high-tech and popular media. Here’s a roundup of recent coverage focusing on the individuals that hold the keys:

• PopSci notes “We’re imagining a large medieval chamber filled with techno-religious imagery where these knights cyber must simultaneously turn hybrid thumb drive/skeleton keys in a massive router, filling the room with the blinking light of connectivity….In reality, it’s not so dramatic. The keys are actually smartcards that each contain parts of the DNSSEC root key, which could be thought of as the master key to the whole scheme. But it is interesting to know that there is a group of individuals out there that hold actual, physical keys that would reboot the Internet as we know it.”  The article points to this Community DNS video explaining how the keys are made; CDNS CEO Paul Kane is one of the key holders.
• Gawker pictures it this way: “This is what happens when you let nerds run everything: The whole world turns into an extended Dungeons and Dragons campaign. Seven specially-chosen people are now members of a “chain of trust”; in the event of a catastrophe—like a terrorist attack, or Saruman joining forces with Sauron, or Barack Obama turning off the whole internet—five members of The Fellowship of the Internet must meet in a secure location ‘to recover the master key’ and summon Captain Planet .”  The article goes on to name the seven “keymasters” and describe the process, but notes, “it’s more fun to pretend the other stuff.”
• The Next Web called the group “the real-life Fellowship of the Ring that can ‘reboot’ the Internet” and notes, “Unlike the Fellowship of the Ring, there’s a backup plan. If the keyholders can’t travel to the location required in the event of a major incident, a set of keycards are securely held on site.”
• Mainstream media BBC and the Bath Chronicle played it straight, profiling Kane as one who holds “the keys to the Internet.”

PC World’s “What to Watch at Black Hat and Defcon” article points to DNSSEC sessions at Black Hat, which starts today in Las Vegas.  The article notes:

Two years ago, Dan Kaminsky made headlines worldwide by uncovering a flaw in the DNS (Domain Name System) used to look up the addresses of computers on the Internet. This year, Kaminsky is speaking again at Black Hat — this time on Web security tools. But he’s also been tapped to participate in a press conference where he and representatives from ICANN (Internet Corporation For Assigned Names and Numbers) and VeriSign will discuss Domain Name System Security Extensions (DNSSEC) — a new way of doing DNS that provides a level of confidence that computers connected to the Internet are what they actually claim to be….”We’ve been looking at how DNSSEC is going to address not only DNS vulnerabilities, but some of the core vulnerabilities we have in security,” Kaminsky said in an interview. “We’re not going to solve all of those problems with DNSSEC… but there’s an entire class of authentication vulnerabilities that DNSSEC does address.”

In the 10 days since the Internet’s root zone was signed, DNSSEC-related activity’s been reported in commercial, non-profit and government circles, including these announcements:

• The White House called the root signing ” an Internet security upgrade that is important not only for its practical, day-to-day value in blocking a class of online threats, but also for demonstrating that the cooperative, private-sector-led, standards-based model of Internet architecture remains vital and effective.” Announcements from Verisign, the U.S. Department of Commerce and ICANN also followed the signing.
• Comcast noted the signed root, and announced “the deployment of the DNS root key to all of our DNSSEC trial servers across the country,” alerting Comcast customers that they can start using its trial servers immediately.
• .org announced that Go Daddy, Dyndns.com and NamesBeyond now support DNSSEC-Signed .org  domain names.  CEO Alexa Raad said the move “will take widespread DNSSEC adoption to the next level.”

Culminating years of effort on the part of many public and private organizations and individuals, ICANN has now confirmed the root zone is signed and available, and has published the root zone trust anchor so that root operators can begin to serve the signed root zone with actual keys. Initiative partner and Shinkuro CEO Steve Crocker said:

This is a very special day.  Very, very many people, working for many years all over the world made this day possible.  Like the golden spike that completed the first transcontinental railroad in the United States, the signing of the root completes the basic platform for building new levels of trust on the Internet.

“DNSSEC Decoded,” a half-day seminar sponsored by Secure64, will take place July 27 from 8:30 a.m. to 11:30 a.m. in Washington, DC, at the International Spy Museum’s Zola Restaurant.

Speakers include Initiative partner and NIST computer scientist Scott Rose and Microsoft Federal Group Chief Security Officer Bill Billings.  Breakfast is included in the event, and the speakers will discuss why U.S. federal agencies’ internal networks are targets for theft of confidential information; how DNSSEC protects internal and external domains from hijacking; DNSSEC deployment requirements and FISMA requirements that pertain to DNSSEC; and case studies from other federal agencies.  Seating is limited; you also may listen to a recording of the event with the chance to ask questions of the speakers.

U.S. Commerce Secretary Gary Locke yesterday addressed a meeting of the federal agencies participating in a government-wide cybersecurity policy review, citing DNSSEC as a significant accomplishment in securing the Internet, on the eve of the signing of the root zone.  His remarks included these words:

One of the Commerce Department’s most important accomplishments will go into effect tomorrow when DNSSEC is deployed at the root of the Domain Name System.

This action will essentially give a “tamper proof seal” to the address book of the Internet – a seal that gives Internet users confidence in their online experience.

And I’d like to thank the Department’s partners in this effort — the Internet Corporation for Assigned Names and Numbers, and VeriSign.  This effort is an excellent example of public – private cooperation, which included extensive domestic and international community consultation. 

ICANN will live-stream the key signing key ceremony in Los Angeles, in preparation for putting the DNSSEC-signed root zone into production later this week.  Find the stream here, starting at 2000 UTC; a full agenda appears here.  Read about the first KSK ceremony in Virginia here.