Please visit the new home of Majikthise at

« 4000 excess deaths in Katrina period | Main | Fish and Wildlife official overrode scientists »

April 01, 2007

DHS requests DNS master keys

The Department of Homeland Security is demanding the master key for the DNS root zone:

The US Department of Homeland Security (DHS), which was created after the attacks on September 11, 2001 as a kind of overriding department, wants to have the key to sign the DNS root zone solidly in the hands of the US government. This ultimate master key would then allow authorities to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system's root zone on the Internet. The "key-signing key" signs the zone key, which is held by VeriSign. At the meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) in Lisbon, Bernard Turcotte, president of the Canadian Internet Registration Authority (CIRA) drew everyone's attention to this proposal as a representative of the national top-level domain registries (ccTLDs).  [Heise Online]

Educated Guesswork has an interesting post about the implications of this proposed power shift.


TrackBack URL for this entry:

Listed below are links to weblogs that reference DHS requests DNS master keys:


Whatever happened to the good old days when the news was (relatively) nontoxic and playful enough that this day could be devoted to silly fake headlines? Now there's nothing silly about the news. If only. The faux news were the real news.

E.G. is basically correct - this isn't a big deal. I'd guess that some technically ignorant something or other misunderstands how DNS works, and in typical bureaucratic fashion, decided that control must be centralized.

If this happens, all the DHS can do is perhaps a one-off, crisis driven diversion of domain names for a few hours. After that, the various NOG groups will notice, and the game is dead. In fact, this might be a good thing - making Verisign (more) untrusted would further decentralize the 'net.

I don't see a big problem, but I don't see any real reason to do it in the first place. Confuing.

fishbane -

Why do you think DHS wants this?

damn! Which one of us went and told bush what you can do with them internets!

Eric -

Like I said, it sounds like some technically ignorant middle manager wants control over everything, not because they understand it or even need it, but because it expands response ranges. Or it could be that a one-off, crisis driven reaction to divert traffic is appealing to someone, but that seems rather short-sighted.

Just to simplify things, DNSSEC (1) is barely used, (2) is heirarchic, so redirecting traffic to some random site would be both complex and quickly noted, and (3) you can only play that game once. Network operators don't like playing games with DNS. That's part of why it is distributed in the first place - everyone playing owns their own name servers, and is responsible for them.

The federation of DNS root servers has worked well, mainly because commercial interests make it work. If some governmental subversion happened, I think a large number of network operators would find it to be in their own best interest to no longer be so dependent on a subverted system. There have been efforts to set up parallel name spaces, which haven't taken off. If the DHS gets heavy-handed, that might be all those efforts need.

fishbane -

Would software to make visitors to websites anonymous be ineffective if DHS gets this information?


I think you're fundamentally misunderstanding what's going on. No big deal, name service is in fact, surprisingly complex.

- When you are connected to the 'net, you have an IP address. For various reasons, that IP address may look different "outside" of your ISP/college/collective/whatever, but it still is resovable to some point, and "point" has an interest in keeping logs, just to run the network..

- Using anonymous remailers, Tor, etc, you can be at least somewhat more sure of anonymity.

- This power grab is not about individuals. This isn't the power to grab J. Random Guy's surfing habits. It is about being able to route every J. Random Guy to a fake CNN site.

Think of it as a real-time phone book that we all depend on, even if we don't know we're depending on it (Do you know what Google's main IP is?). Technically, that's still very incorrect, but it gives you an idea of what's going on.

So. That's why I said it might be a prep for a one-off use. What value might be had from a one-time redirect of, say,, or

That's giving the DHS the benefit of the doubt, though; I think they aren't that smart, and are just playing gimme.

fishbane -

So if DHS gets this information, they won't be better able to find the identity of someone surfing the web with an anonymizer?

The comments to this entry are closed.