Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Government Begins Securing Root Zone File

kdawson posted more than 5 years ago | from the not-before-time dept.

Security 198

Death Metal notes a Wired piece on the US government beginning the process of securing the root zone file. This is in service of implementing DNSSEC, without which the DNS security hole found by Dan Kaminsky can't be definitively closed. On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root — ICANN, Verisign, or the US government's NTIA.

cancel ×

198 comments

Sorry! There are no comments related to the filter you selected.

That's going to be interesting. (3, Funny)

assantisz (881107) | more than 5 years ago | (#25327313)

I have my popcorn ready for the show.

Re:That's going to be interesting. (1)

morcego (260031) | more than 5 years ago | (#25328153)

Here is another suggestion: IEEE

Re:That's going to be interesting. (0)

Anonymous Coward | more than 5 years ago | (#25329779)

Don't panic.

It doesn't HAVE to be one signature (3, Informative)

elfguy (22889) | more than 5 years ago | (#25328473)

DNSSEC already has provisions to use a multi-signature key, where many organizations each sign it, and these parts are used to make one global key, so that no one person or organization is owner of the root zone file. It doesn't have to go like that.

Those who do not understand DNS (0, Flamebait)

Gothmolly (148874) | more than 5 years ago | (#25327327)

Are doomed to reimplement it, poorly. Does anyone have any confidence that the US Government WONT mess this up completely? Give the key to Google or AOL or IBM or something.

Re:Those who do not understand DNS (2, Funny)

alexborges (313924) | more than 5 years ago | (#25327595)

I know i know, lets give it to some wallstreet bankers!

Re:Those who do not understand DNS (4, Interesting)

rs79 (71822) | more than 5 years ago | (#25327671)

"Are doomed to reimplement it, poorly. Does anyone have any confidence that the US Government WONT mess this up completely? Give the key to Google or AOL or IBM or something. "

Those who don't understand DNS would recommend giving it to IBM.

Hi. I run the root server that was the first runner up in the contest to administer it, ahead of two other groups. We were actually asked by the gov to advise icann which we did until we realized all they were doing is using us to get away with what they wanted to do, instead of listening to advice on horrific problems. Hint: the mandate specifies icann is a membership organization and 10 years later you still can join and have a vote. Ahem.

During this time and for 5 years before that I run the a root to one of the alternative root zones.

If you think dnssec will fix the problem or that it's the right answer or that it will actually secure it then you and Dan Kaminsky haven't thought about it enough.

But if you wanna go ahead with the broken dnssec model the keys should be held by Paul Vixie. This is all his mess anyway and he already holds the keys to usenet.

Re:Those who do not understand DNS (2, Funny)

alexborges (313924) | more than 5 years ago | (#25328061)

Can I be the president of your fan club?

Re:Those who do not understand DNS (1)

hesaigo999ca (786966) | more than 5 years ago | (#25329169)

IBM was only one of his choices, although a poor one, I would opt for google, seeing as they already own the internet per say...they are trying to cache the whole thing on their backend....imagine that....why not allow them also to geometrically setup a cache of dns servers rolling out lookups...they would be able to do it...and have the room for all the bacxkups too!

Re:Those who do not understand DNS (5, Funny)

PinkyDead (862370) | more than 5 years ago | (#25327915)

One key for Google flying oh so high,
One for Apple for without it fans would moan,
One for IBM what are based in Armonk, NY,
One for the Dark Lord on his dark throne
In the Land of Redmond where the Shadows lie.
One Key to rule them all, One Key to find them,
One Key to bring them all and in the darkness bind them
In the Land of Redmond where the Shadows lie.

Re:Those who do not understand DNS (1)

alexborges (313924) | more than 5 years ago | (#25328083)

Boy this is getting old. ....

Its cool though.

Re:Those who do not understand DNS (1)

Dani Filth (677047) | more than 5 years ago | (#25328971)

Now that's a funny sig.

Re:Those who do not understand DNS (1)

Zarf_is_with_you (1382411) | more than 5 years ago | (#25329507)

Maybe Hellboy should hold the key...... ;)

None of the above (5, Insightful)

jeffasselin (566598) | more than 5 years ago | (#25327333)

Anyone really thinks any of those organizations should be trusted with this? How about some UN organization instead?

Re:None of the above (2, Insightful)

Anonymous Coward | more than 5 years ago | (#25327415)

Because the UN sucks too? It isn't a symptom of who belongs to the organization, but the very fact that it is a large organization.

Ah, screw it. (4, Funny)

Rob T Firefly (844560) | more than 5 years ago | (#25327419)

I vote we just give it to Cowboyneal.

Re:None of the above (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25327425)

Worst idea EVER. Look what happened when we let foreigners invest in our market. What color is the sky in your world where trusting foreign countries with our money or security is good for the USA?

Re:None of the above (0)

Anonymous Coward | more than 5 years ago | (#25327429)

Wow. Sometimes the void is so large, there is just no reasonable way to respond.

Re:None of the above (1)

ThatFunkyMunki (908716) | more than 5 years ago | (#25327591)

You have no recourse but to look into it until it looks back at you...

Re:None of the above (1)

alexborges (313924) | more than 5 years ago | (#25328101)

"If patriotism is racist, is racism patriotic?"

No.

And green is not lemon. And the orange color does not smell.

He-Lo?

Re:None of the above (0)

Anonymous Coward | more than 5 years ago | (#25328365)

YHBT, HAND.

Re:None of the above (4, Insightful)

MightyYar (622222) | more than 5 years ago | (#25327471)

The same UN that is comprised of countries that support censorship of political speech? No, thanks. Either give it to an organization of free democracies or hold onto it until such an organization exists.

I'm not flaming, but seriously - look at the UN's track record where they do things like elect Libya to head the Commission on Human Rights. I can already see China chairing the internet commission.

Re:None of the above (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25328495)

The same UN that is comprised of countries that support censorship of political speech?

Countries like the USA, you mean?

Seriously, did you ever try to protest at an RNC, for instance? I did, and I can tell you that it sure makes you wonder exactly which nation you're in, anyway.

Re:None of the above (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#25328927)

Seriously, did you ever try to protest at an RNC, for instance?

How do you find the time to post here with all your obligations and work?

I did

Oh ... I see. Nevermind.

You, sir, are evil and twisted. (4, Informative)

Crazy Taco (1083423) | more than 5 years ago | (#25329019)

Countries like the USA, you mean? Seriously, did you ever try to protest at an RNC, for instance? I did, and I can tell you that it sure makes you wonder exactly which nation you're in, anyway.

Right, and those of us from Minnesota know ALL ABOUT your protests at the RNC. Let's see, at this year's RNC in Minneapolis we had mass rioting, bricks thrown through windows of business and destruction of property, an attempted bus-jacking, fires, attacking of delegates from multiple states, throwing feces and urine on delegates, attacking police officers and a vast number of other crimes.

In the pre-RNC raid by the Ramsey County Sherriff's department of the "RNC Welcoming Committee" apartments, police found molotov cocktails, nail bombs, gasoline tanks and other explosives, buckets of urine and all variety of other ordnance. Despite these raids, numerous people were still injured by these people during the riots. Even the liberal mayor of St. Paul applauded the actions of law enforcement and the excellent job they did it keeping the carnage from getting worse.

So, the only thing that makes me wonder what country I'm in is that fact that depraved idiots like you are running around lose. People like you are lower than low, defending these tactics and smearing the law enforcement officers. These were not "peace protesters". These were terrorists and anarchists by anyone's definition, and no quarter should be given to them. And frankly, no quarter will be given to you either. You, luckily for you, are given the right of free speech by the rest of us true American citizens, but I will not stand by and let you spew your garbage and hate without reminding others what really happened in Minneapolis at the RNC. People like you are truly evil and immensely twisted and warped if you can defend any of the violent activities the went on during the "protests" (read: riots). And if you were a participant, you deserve to be thrown in jail, or better yet, exiled to a place like Pakistan, Iran, or Syria. Your kind have no place in a free and peaceful democracy.

Re:You, sir, are evil and twisted. (2)

cptgrudge (177113) | more than 5 years ago | (#25329141)

As another citizen of Minnesota, the parent speaks the truth. I'm all for free speech, but what these "protesters" were doing was attempting to disrupt the political process and infringing on OTHERS' right to free speech.

Re:You, sir, are evil and twisted. (1)

Sancho (17056) | more than 5 years ago | (#25329599)

So arrest those people. Don't arrest the ones who are peacefully protesting.

Re:None of the above (2, Insightful)

operagost (62405) | more than 5 years ago | (#25329161)

Maybe you shouldn't betray your political leanings by singling out the RNC. There are "free speech zones" at the DNC too. It seems to be more dependent on the attitude of the hosting city. At least we don't imprison grandmothers and sentence them to hard labor just for asking to protest.

Re:None of the above (2, Insightful)

MightyYar (622222) | more than 5 years ago | (#25329363)

While I agree that the government (mostly local governments) overreacted to the antics of some douchebags, the fact remains that the US is one of the most liberal - if not the most liberal - nations on the planet when it comes to freedom of speech. Restrictions on speech correlate very well with authoritarian rule.

Re:None of the above (2, Insightful)

Sancho (17056) | more than 5 years ago | (#25329731)

Yeah, in the US, you can pretty much say what you want, as long as you do it in a place where no one can hear you.

The reason that restrictions on speech correlate very well with authoritarian rule is because authoritarians don't want dissenters to be heard. It weakens their rule over the people, and threatens their power.

Free Speech Zones are public places where people are allowed to exercise their first amendment rights[1]--that is, the right to free speech. These zones tend to be away from the attendees, speakers, and mass media covering the event to be protested. This means that the protest is effectively pointless. Maybe you get a feeling that you're doing something by protesting, but by forcing you to protest where no one can see you, you're certainly not getting your message across.

So it's great and all that I can say pretty much whatever I want in the US. Seriously. I think it's awesome. But what I don't think is awesome is that political speech is effectively censored--that's the kind of speech which is linked to dissent, and which authoritarians want to quash.

[1] The government "allowing" you to exercise your rights should be a giant-old red flag.

Re:None of the above (3, Informative)

MightyYar (622222) | more than 5 years ago | (#25329909)

Protests are only one form of free speech, and it happens that they involve major disruption. It's like a parade or a festival... even when everyone is very peaceful, you have requirements for food, water, and human waste. Frankly, it's not particularly fair to crash someone else's parade after they've paid for everything and then complain about your rights being squashed. You want to have a parade? Go for it - but pay for all the mess you'll make.

And you know what? These WTO/RNC/etc protests are NOT non-violent, they are NOT low-impact, and they cause a major disruption - by DESIGN. You have a right to free speech. Have a parade, publish a newspaper, etc. You do NOT have a right to be a douche.

It tells me that your message isn't worth hearing, because you have resorted to abandoning any sort of civilized debate and just crying like a 2-year-old.

(Note I don't mean you in particular, just the style of writing that I used.)

Re:None of the above (2, Insightful)

Jesus_666 (702802) | more than 5 years ago | (#25329057)

The question is who to give it to. The United States are just as ineligible, seeing as they don't care about separating government and big business or keeping the government's powers in check. And I'm not in favor of giving a nation control over an international resource simply because it was deployed there first. That'd be like ultimately deferring to France in all aviation matters because of the Montgolfier brothers.

Really, who should get the root zone file? Nobody is eligible so we either give it to nobody or adjust our standards so someine is. The question is, do we accept a multinational body where any attempt at tampering might get vetoed by other members or do we accept a single nation where that isn't the case?

The UN seem like the safer choice because of more oversight. (Also, let's not forget that any bloc that feels left out can simply start their own root server network or switch over to one already running, thus it's not a wise idea to bind the one most of us currently use too much to a single nation.)

Re:None of the above (2, Insightful)

MightyYar (622222) | more than 5 years ago | (#25329471)

The United States are just as ineligible, seeing as they don't care about separating government and big business or keeping the government's powers in check.

I'm still going to rank political speech higher than commercial speech... that's where people really get oppressed. I agree that copyright is a form of censorship, and I would like to see it reformed drastically - but it's not the same as throwing people in jail because they are critical of the people in power.

The UN seem like the safer choice because of more oversight.

Two problems. One, the UN would only be effective if the number of countries opposing censorship was larger than the number that rather like it... unfortunately I think that the censors are in the majority. Second, the UN has no actual power to do anything outside of the security council. These committees and such all simply advise the security counsel. If someone were to get out of line, you'd need the security council to actually take action. With Russia and China as veto-wielding members, no action would ever come on issues of free speech.

But mostly, you are dead-on about it not being all that critical. DNS is mirrored all over the place, and if the US ever went bat-shit nuts the rest of the world could just run their own mirrors.

Re:None of the above (2, Interesting)

foobsr (693224) | more than 5 years ago | (#25329119)

organization of free democracies

Leading surveillance societies in the EU and the World 2007 [privacyinternational.org]

Clearly in the lead: China, Russia, US ...

CC.

Re:None of the above (1)

MightyYar (622222) | more than 5 years ago | (#25329497)

So if you aren't private you aren't free?

Re:None of the above (2, Insightful)

Kamokazi (1080091) | more than 5 years ago | (#25327487)

Hell, I'd trust the greedy bastards at Verisign way before the UN.

But yeah, all those options kinda suck. ICANN is the lesser of the evils tough by a wide margin.

Re:None of the above (4, Insightful)

FireStormZ (1315639) | more than 5 years ago | (#25327539)

And why should the UN be trusted with this? As another poster pointed out they are comprised of many nations that censor speech, expression, assembly and thought. On top of that they have been shown to be as (if not more) corrupt (Oil for Food in Iraq), Inept (Sierra Leone), and Impotent (Rwanda)...

Re:None of the above (0)

Anonymous Coward | more than 5 years ago | (#25329481)

The impotency of UN (as you call it) in Rwanda was mainly due to inaction from western powers.

Lt.-Gen. Dallaire, Canadian general and head of the mission in Rwanda, kept and kept begging the western powers for -any- kind of support. He predicted the genocide months before it even happenned but the countries on the security council kept refusing any change in the mandate of the mission. France did a couple of photo-ops, helped the Hutus in secret and during this time, the US sent a couple of not-working armored vehicles and the Belgians ran away when the water started to boil.

The shame should be on all western powers who refused to even consider increasing the capacities of the UN contingent before and during the genocide.

Re:None of the above (0)

Anonymous Coward | more than 5 years ago | (#25328653)

How about some UN organization instead?

You must be joking.

Good luck with that one (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25327345)

I wish they'd secure more shaved beaver.

Who to control... (5, Insightful)

TheSpoom (715771) | more than 5 years ago | (#25327395)

Verisign

Pros:

  • Quite a bit of money, stability likely wouldn't be a problem

Cons:

  • Puts a private company in control of a very, very important part of the internet
  • Has previously fucked with DNS, would likely do so again if considered a wise business decision

US Government

Pros:

  • Wouldn't dare let it go down since business in their country is very dependent upon it
  • Puts elected officials in charge of a very important part of the internet

Cons:

  • Nationalizes an important part of an international network
  • Puts elected officials in charge of a very important part of the internet

ICANN

Pros:

  • Has been doing this a long time
  • Is a non-profit company so isn't driven by the same business needs as, say, Verisign

Cons:

  • Still somewhat national

I'm definitely of the opinion that ICANN should be running it. That said, I don't know everything about the matter, so perhaps there's something that would change my mind. I figure, though, that if it's not broken, don't fix it.

Re:Who to control... (0)

Idiomatick (976696) | more than 5 years ago | (#25327443)

With those 3 options ICANN it should be but wouldnt the UN or something international make sense? I'm sure the UN can find a few guys that understand DNS well. Really all you have to do 99% of the time is not fuck anything up so my pet cat could do it until something needs changing a year or w/e down the road.

Re:Who to control... (0)

Anonymous Coward | more than 5 years ago | (#25327627)

Yeah, the UN which is totally neutral, incorruptible, and is known to be totally without bias.

Oh WAIT. THAT UN. If the idea was to get things out of the US and its control, the US funds more of the UN activies than any other state (to a huge degree).

The simple fact is, the only reason for someone to want this under the control of the UN is so they can enforce their particular brand of censorship on the whole world. Otherwise, Germany is FREE to establish its own root servers. China is FREE to establish its own root servers. No one is forcing the world to use US operated root servers. But they do so, because it is convenient, cheap, and useful.

Want to guarantee fragmentation of the internet? Give control of all root servers to a organization in which China has significant voice. Oops! They're censored and no longer useful. The rest of the world moves to implement its own servers, JUST LIKE THEY'RE FREE TO DO NOW.

Re:Who to control... (2, Insightful)

digitig (1056110) | more than 5 years ago | (#25328635)

Latest I can find for UN payments is 2005 figures [unausa.org] ; I wouldn't call the difference between $423M (USA) and $375M (Japan) all that huge a degree. And is the USA actually paying its dues now? In 2005 it owed almost a billion in unpaid dues.

Re:Who to control... (1)

Tanktalus (794810) | more than 5 years ago | (#25328879)

When the OP talks about "funding the UN", he's not referring to dues. He's talking about actually paying for the activities of the UN, such as troops on the ground in hotspots, which many other countries are unwilling to do.

Of course, there's still a fuzzy line there - sometimes it can be argued that the US is just using the UN as a cover for their own activities (e.g., trying to get the UN to authorise an invasion of Iraq, then the entire Iraqi war would be considered a UN mandate, and thus count toward "US funding the UN"). Trying to separate this out, though, is a futile effort. No matter what methods you use to try, there will be wide disagreement.

Re:Who to control... (0)

Anonymous Coward | more than 5 years ago | (#25327639)

You're going to pick the most corrupt huge organization, that has the least oversight? You're fucking retarded! I don't trust the UN, and ICANN has already demonstrated that they're bought by large corporations. Verisign is evil, that leaves the not as corrupt American government, and hte NTIA appears to do a decent job at what they do.

Re:Who to control... (0)

Idiomatick (976696) | more than 5 years ago | (#25327691)

American government? AKA the place that made the patriot act? I really doubt internationally anyone has faith in the US government. Buuut you are probably just flamebaiting me.

Re:Who to control... (0)

Anonymous Coward | more than 5 years ago | (#25327867)

American government? AKA the place that made the patriot act? I really doubt internationally anyone has faith in the US government. Buuut you are probably just flamebaiting me.

Okay, now how about some reality. What has the United States done to or with DNS that you find so objectionable? Besides, I suppose you'd rather have China or Russia run the show, outfits that have a far worse track record on, well, pretty much every relevant score than the U.S. Regardless, your anti-American sentiment is pretty obvious but the truth is, you don't have to like someone to admit they've performed well.

Re:Who to control... (4, Funny)

Anonymous Coward | more than 5 years ago | (#25328011)

I know, let's give it to Canada!

Re:Who to control... (1)

TheSpoom (715771) | more than 5 years ago | (#25328851)

On behalf of Canada, I accept.

*gives himself a TLD for the hell of it*

Re:Who to control... (2, Funny)

Tanktalus (794810) | more than 5 years ago | (#25328907)

Oh, no you don't. We don't want you blaming us AGAIN if something goes wrong.

Re:Who to control... (0)

Anonymous Coward | more than 5 years ago | (#25328349)

American government? AKA the place that's attempting to secure this in the first place? Yeah, can't trust those guys. Maybe people who complain about the US "controlling the internet" should simply not access US-based sites. Oh wait, that's quite a bit of the internet. Hmm.

Re:Who to control... (2, Funny)

C10H14N2 (640033) | more than 5 years ago | (#25327873)

ICANN IS INTERNATIONAL.

Re:Who to control... (3, Funny)

TheSpoom (715771) | more than 5 years ago | (#25328023)

CAPS LOCK IS CRUISE CONTROL FOR COOL.

(even cruise control [and slashdot filters] you still have to steer)

Re:Who to control... (0)

Anonymous Coward | more than 5 years ago | (#25327455)

I'd agree ICANN are the least worst of the three. But I'd sure rather "none of the above", sigh. DNS totally sucks, wish there was a viable alternative (ironically, with 1TB drives now the norm, the original "copy /etc/hosts about" scheme suddenly doesn't look so bad - an /etc/hosts for _the entire IPv4 internet_ would only be a few 10s of GB).

Re:Who to control... (3, Informative)

TheSpoom (715771) | more than 5 years ago | (#25327493)

The problem is that that theoretical hosts file is already split among different entities; for example, Verisign controls the .com and .net registries, not ICANN. So, if you wanted to do that, you'd have to convince all of them to give up their control.

Re:Who to control... (1)

jonwil (467024) | more than 5 years ago | (#25327499)

Biggest problem is the high frequency with which DNS can change (especially for individual networks)

Re:Who to control... (4, Interesting)

TheSpoom (715771) | more than 5 years ago | (#25327567)

Addendum:

UN

Pros:

  • As international as it gets
  • Ideally not controlled by any individual country

Cons:

  • Possibly more bureaucracy than any individual government in existence, would anything ever get done?
  • Could lead to a tyranny of the majority, what if a block of countries wanted censorship?

I'd be interested in hearing reasons why people believe this is a good thing as well though.

Re:Who to control... (1)

houghi (78078) | more than 5 years ago | (#25327621)

I think you summed it up pretty good. The thing is that the cons can be any country andf perhaps not just the countries you would think at first.

Switzerland! (0)

Anonymous Coward | more than 5 years ago | (#25327861)

Re:Who to control... (0)

omnipresentbob (858376) | more than 5 years ago | (#25327883)

Addendum to the addendum
UN

Cons:

  • It's the UN

Re:Who to control... (0)

Matje (183300) | more than 5 years ago | (#25327987)

ah yes bob. Thank you for the well laid out argument. And good job mods, for marking it +4 Insightful.

Re:Who to control... (0)

Anonymous Coward | more than 5 years ago | (#25327969)

Cons:
Notoriously as corrupt as the US government.

If you want shiftless layabouts to manage it, ICANN is probably still the best option.

Re:Who to control... (2, Insightful)

jhol13 (1087781) | more than 5 years ago | (#25328381)

It does not really have to be the UN, it can be a non-profit organisation (legally) under UN. This would mean, of course, that those running it would get a huge power ... but they could not (would not necessarily) be persuaded to change policy by any government or lobbyists.

That would get rid of the bureaucracy and tyranny of majority, but could lead to tyranny of minority.

How that would work out in practice would be interesting experiment, to say the least. Whether trying is worth the risk ... well, let's just say that one would not cost 700 reallybigones :-)

Re:Who to control... (1)

TheSpoom (715771) | more than 5 years ago | (#25328441)

See, I thought about that too, but then I thought... well, that's basically ICANN.

Re:Who to control... (1)

operagost (62405) | more than 5 years ago | (#25329219)

It does not really have to be the UN, it can be a non-profit organisation (legally) under UN.

Yay! Another oil-for-food scandal!

Re:Who to control... (1)

Tanktalus (794810) | more than 5 years ago | (#25328925)

How about ISO?

(duck!)

Re:Who to control... (0)

Anonymous Coward | more than 5 years ago | (#25329257)

You also need to consider the financial troubles of the US, which are certain to have far-reaching, unforeseeable consequences.

Putting what is essentially control over the Internet into their hands isn't necessarily a smart thing to do.

Re:Who to control... (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#25327605)

US Gov't

Pro:
It was theirs to start with (aka the US taxpayer)

Con:
A bunch of Europeans will whine about how it's not fair, even though they didn't invest the initial millions (billions?) to get the ball rolling.

Re:Who to control... (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#25327661)

Amen to that. Next people will want the GPS satellites brought under int'l control, since the mean ol' US Government can turn it off whenever they want (or turn on SA).

These were both investments made by the taxpayers of the US, in the interests of national security. We're just nice enough to let the world use [take advantage of] our assets.

Re:Who to control... (1)

Suzuran (163234) | more than 5 years ago | (#25327913)

They ALREADY want that, which is why Europe, Russia, and China are all working on GPS replacements.

Re:Who to control... (0)

Anonymous Coward | more than 5 years ago | (#25327985)

Yeah, we all see how wonderfully that's working out... only 25 years behind!

25 years of free global navigation. You're welcome.

Re:Who to control... (1)

houghi (78078) | more than 5 years ago | (#25327677)

US Government
Pros:
Puts elected officials in charge of a very important part of the internet

I would put that on the con side. I rather have a person who knows what he is doing in charge and not so much somebody who is popular and knows how to play the electoral game.
Also they are elected by a minority of the users.

Re:Who to control... (2, Informative)

TheSpoom (715771) | more than 5 years ago | (#25327687)

I would put that on the con side.

I did, if you noticed. :^P

It doesn't have to be just one player (4, Interesting)

jonaskoelker (922170) | more than 5 years ago | (#25327683)

How about using a threshold signing scheme?

Here's the ten kilofoot view: each participant p_{1..n} gets a piece of the key. If least t of them (for some 2 <= t <= n) cooperate, they can produce a signature on the input message.

It is widely held that separation of power into legislative, executive and judiciary is a good thing. Here, the roles would be symmetric, but you still get the benefit of no one body of people (or single person) being in control.

Here's an interesting thought: include some of the root server operators in the decision. I haven't done the formal proof, but my understanding is that it'd be simple to create weighted threshold schemes, such that if ten of the $n roots all agree, that counts as one "vote" in the usgov-icann-verisign calculation [just apply some general secure Multiparty Computation protocol to the computation of RSA-signing with Shamir secret shares of the private key]. And, as your child poster says, you may want to include the UN. Not being a citizen of 192 sovereign nations, I don't like the idea of any one nation having a disproportionately large influence over critical infrastructure, should we come to rely on a signed root zone [note: we don't now, because it isn't; that may be useful to put this issue into its proper perspective, or not...].

But no matter who the eligible parties are, I don't think any one of them should be in exclusive control. Use a threshold signing scheme to distribute the power.

Re:It doesn't have to be just one player (1)

I'm not really here (1304615) | more than 5 years ago | (#25328059)

The problem with this statement "I don't think any one of them should be in exclusive control" is that this network was initially created for the sole purpose of protecting the swift transfer of data should a nuclear attack hit the US of A. It's gotten beyond that in a major way, but it started in the US, so I can understand why the US would want the keys.

Though at this point, I don't think any solution that gives any one person the literal key to the internet is a good one, so, on that point, I agree - find a way to split it up so that no one entity has it, and it requires cooperation to change it. How would this impact simple host creation and DNS transfers though?

Note: Though I'm tech savvy, it is not as an expert in the area of DNS.

Re:It doesn't have to be just one player (1)

TheSpoom (715771) | more than 5 years ago | (#25329617)

In reality, it wouldn't affect too much of the normal use of the internet. Basically, whoever has control of this has control of creation and modification of top-level domains, like .com, .net, and .org, to a certain degree, in that they could enable or disable them, but not modify them directly (unless they disabled them and created their own modified version).

In theory, they could bring down the internet with such access though, so it is something worth serious consideration.

Re:It doesn't have to be just one player (2, Insightful)

wiz_80 (15261) | more than 5 years ago | (#25328669)

The problem is that this scheme might work now, but it is not very future proof. How would you avoid the issue of Participant A borging participants B through T, thereby owning enough pieces of the key to do whatever they want, no matter what Participants U through Z have to say?

This might happen with private organizations (companies get bought) or with states (Russia takes over Georgia's piece of the key, just going on what's in the news).

I think ICANN is still the least bad choice. Somebody has to be the ultimate arbiter, and at least ICANN's fights so far have been confined to ICANN. It has not become a bargaining chip in bigger fights, which would be almost guaranteed with organizations such as the UN.

Re:Who to control... (3, Insightful)

mgoren (73073) | more than 5 years ago | (#25328319)

Why in the world would they give it to Verisign? I thought we were trying to move away from Verisign controlling anything other than .com (and I guess .net too)?

Verisign? (3, Insightful)

neowolf (173735) | more than 5 years ago | (#25328437)

I can't wait if they get it... Within a couple of years we will all have to start paying for DNS queries. Of course- they will offer to allow your query for free if they can insert ads into every site you go to.

Time for a workers revolution! (-1)

Anonymous Coward | more than 5 years ago | (#25327449)

Swep away imperialist barbarism through socialist revolution! Workers to power!

Hmm... MS-B-DNS (0, Flamebait)

intothemiddle (1142025) | more than 5 years ago | (#25327473)

Perhaps we need something to the equivalent of W3C specifically for this, and to be future governing in how to maintain/expand DNS and our overall Network in general. Perhaps with a collection of individuals who are the the top experts from several countries.. perhaps Microsoft could choose these people and then release their own Standard "BrokeDNS".

Re:Hmm... MS-B-DNS (2, Funny)

aproposofwhat (1019098) | more than 5 years ago | (#25327571)

Or there could be the Apple version - "BrokebackDNS" :P

Re:Hmm... MS-B-DNS (0)

Anonymous Coward | more than 5 years ago | (#25327701)

Ha ha. I get it. Macs are gay. Ha ha.

Re:Hmm... MS-B-DNS (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25328033)

I like how the majority of my post suggests a serious 4th option and ended with a slight joke/jibe at MS and gets labeled flame bait, yet the one below me which merely references a film gets a score of 2! Though I care for my score on this as much as I care about how much debt the US is in.. NOW I'm off topic AND flame bait.

I believe DNSSEC is unnecessory... (5, Informative)

nweaver (113078) | more than 5 years ago | (#25327535)

I believe DNSSEC is unnecessary to counter the Kaminski attack.

See draft-weaver-dnsext-comprehensive-resolver-00 [ietf.org] for how I believe you can secure resolvers against attacks less powerful than MitM, including Kaminski (race-until-win) attacks.

I'd vote ICANN (3, Insightful)

K3ba (1012075) | more than 5 years ago | (#25327561)

But in the end, who really cares who signs it now - what can be signed once, must be able to be signed again (especially if there is a validity period of the signature), and if the signatory needs to change in the future then it can be changed then. Delaying the signing process is counter-productive, as procrastination in this regard only helps the hackers and not the greater unwashed masses who don't know they need this process to be completed in the first place... Maybe they should ask for comments _after_ they have told us the first signatories name. They will get comments then regardless of who they choose ;)

Re:I'd vote ICANN (3, Insightful)

afidel (530433) | more than 5 years ago | (#25328185)

How about the operators of each Root server signs their own copy of the root? That way if one entity implements policies that you don't agree with you simply remove them from your hints file. There's a reason there's multiple root servers and putting the signing authority in the hands of one entity inherently makes the system less diverse and fault tolerant.

4th option (0, Redundant)

SkunkPussy (85271) | more than 5 years ago | (#25327587)

Verisign is absolutely unsuitable.
ICANN is not a neutral body.
US government is not suitable.

who should it be?

Re:4th option (1)

PinkyDead (862370) | more than 5 years ago | (#25327999)

Hong Kong Phooey?

Cant Do it. (0, Offtopic)

140Mandak262Jamuna (970587) | more than 5 years ago | (#25327657)

Wall street has already sold 22 trillion dollars worth of Root Zone Default Swaps. If Govt took control of the root zone file without buying those toxic assets the whole solar system will collapse into a black hole. We need to urgently pass legislation to tax US Tax payers to the extent of 22 trillion dollars and find a young private sector vice president and appoint him to manage the distribution of the goodies without any possible legislative, judicial or administrative review or oversight.

But surely (1)

Richy_T (111409) | more than 5 years ago | (#25328043)

this isn't like the web where it helps (but is still far from ideal) to have a few central authorities who sign certificates for many entities? This sounds like it would be more of a central thing. Why not just self-sign and publish the key fingerprints in papers, journals and whatever?

ANYONE BUT THE GOVERNMENT (1)

wudukes (1350923) | more than 5 years ago | (#25328063)

God they are so inept and currupt What about ICANN?

Service your implementation (1)

SleptThroughClass (1127287) | more than 5 years ago | (#25328147)

"This is in service of implementing DNSSEC"

I in service to knowing what you say.

Give the keys to Jon Postel (4, Insightful)

davidwr (791652) | more than 5 years ago | (#25328241)

I can't think of anyone more qualified [ietf.org] .

Yes, I know he's dead, but I still can't think of anyone more qualified.

Lame choice is no choice (4, Insightful)

Daimanta (1140543) | more than 5 years ago | (#25328307)

"On Thursday morning, a comment period will open on the various proposals on who should hold the keys and sign the root -- ICANN, Verisign, or the US government's NTIA."

ICANN: Organisation situated in the US, can be heavily influenced and controlled the US government
Verisign: Private company that is only interested in profit and is situated mostly in the US thereby it can be heavily influenced and controlled the US government
NTIA: US government

CHOOSE: US, US, or US

American election time!

GPS? (0)

Anonymous Coward | more than 5 years ago | (#25328517)

Lets hide the key somewhere and let the geocachers find it. First one to find it wins

Terrorism (1)

SmarkWoW (1382053) | more than 5 years ago | (#25328683)

Not that I blindly trust the US government but certain issues need to be taken into account if we're prepared to fully trust a private company to do this...

Terrorism seems to have become a big thing in the US. How do companies like ICANN and VeriSign propose to protect such a crucial part of the internet from a potential attack? Consider both a physical and virtual attack.

Oooh, I know (1)

RalphSleigh (899929) | more than 5 years ago | (#25328767)

Give it to the EU, then just hope you never need anything changed.

It's only the DNS root, nothing critical to the internet working like IP address allocation or proper routing.

servers (0, Flamebait)

ralph1 (900228) | more than 5 years ago | (#25328989)

That from a fucktard who thinks your so stupid to change from republicanism to republicanism and cant work a computer.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>