Security theater for DNSSEC

The recent DNSSEC workshop in Singapore got some interesting coverage in the San Jose Mercury News:

The Singapore event included an elaborate technical ceremony to create and then securely store numerical keys that will be kept in three hardened data centers there, in San Jose, Zurich and Singapore. The keys and data centers are working parts of a technology known as Secure DNS, or DNSSEC. DNS refers to the Domain Name System, which is a directory that connects names to numerical Internet addresses. Preliminary work on the security system had been going on for more than a year, but this was the first time the system went into operation, even though it is not quite complete.

The three centers are fortresses made up of five layers of physical, electronic and cryptographic security, making it virtually impossible to tamper with the system. Four layers are active now. The fifth, a physical barrier, is being built inside the data center.

As the recent compromises of RAs at Comodo showed us, the weak link in PKI is almost never the CA itself, and a clever hacker will always go after one of the weaker links instead of trying to get the CA's private keys. And it certainly looks like the fortresses that are being built in San Jose, Zurich and Singapore are really designed to keep hackers away from those very keys.

So if a hacker wants to compromise DNSSEC, they almost certainly won't try to beat the security of one of the fortresses. They'll do something much easier like compromising an RA. That means that all of the expensive layers of security around the DNSSEC root keys are probably just for show. They may make people feel better about the security of DNSSEC, but they probably don't really add much actual security because they're designed to defeat attacks that never happen. And these attacks still wouldn't happen if the security measures around the keys weren't as tight.

  • Steve Pinkham

    And what’s the equivalent of the RA in DNSSEC, and how many of them are relevant for each domain name?
    When you answer that question, you can clearly see the a big difference between DNSSEC and the CA system that you seem to be overlooking.
    The CA system depends on the security of the least secure RA. DNSSEC depends on the root zone, tld, and the registrar of your choice.
    Also, a large percentage of sites on the net have class 1 certs, which strictly depend on all those parties already.
    It seems to me an ideal solution would be DNSSEC for low risk sites(that would consider using class 1 certs now), with DNSSEC and/or one or more CAs certs as inputs to a system like for high risk sites.
    Instead reasonable discussion about such possibilities of course, everything security related turns into a huge pissing match, whether or not people understand the tech involved or have ever really used it. Sigh.


  • supras shoes

    It’s so nice to have you do all of the research for us. It makes our decision making so much easier!! Thanks.


  • mulberry bags uk

    I follow you VIA GFC and I love your blog!


  • Madeleine Sluss

    Madeleine Sluss

    Very informative article post.Thanks Again. Much obliged.


Leave a Reply

Your email address will not be published. Required fields are marked *