America takes over DNS

Mon Apr 2 11:09:48 UTC 2007

The Racines Libres have failed?

There are so many out there that we cannot count them any longer.

I think the only failure is the "single point of failure root".

They have failed to be trustworthy.

It is so easy, get a copy of a trustworthy root-zone and run
your own root. From time to time compare your root to the
others and fix any diffs.

Better take the authoritative servers and fix your root-zone.

I have never seen a personal root-server attacked.
The single point of failure root gets attacked once per hour,
because every hour it is 8 o'clock in the morning on some place
and all those windows boxes get switched on.

Cheers
Peter and Karin Dambier

michael.dillon at bt.com wrote:
>>The US Department of Homeland Security (DHS) ...
>>wants to have the key to sign the DNS root zone
>>solidly in the hands of the US government.
>>This ultimate master key would then allow
>>authorities to track DNS Security Extensions
>>(DNSSec) all the way back to the servers that
>>represent the name system's root zone on the
>>Internet. The "key-signing key" signs the zone
>>key, which is held by VeriSign.
> 
> 
> Very interesting because it is the second story on the list this weekend
> which highlights that DNS domain registries (and ultimately the root
> zone) are a single point of failure on the Internet. Wouldn't the holder
> of these keys be the only ones able to spoof DNSSEC? And if the criminal
> community ever cracks DHS (through espionage or bribery) to acquire
> these keys, what would be the result.
> 
> I just don't see how adding another single point of failure to the DNS
> system, in the form of a master key, helps to strengthen the DNS
> overall. It is probably time to start looking at alternative naming
> systems. For instance, we have a much better understanding of P2P
> technology these days and a P2P mesh could serve as the top level finder
> in a naming system rather than having a fixed set of roots. We have a
> better understanding of webs of trust that we could apply to such a
> mesh. 
> 
> Given that the existing DNS is built around two disctinct classes of IP
> address, i.e. stable ones that always lead to a root nameserver, and
> unstable ones which lead to other Internet hosts, could we not design a
> more flexible naming system around that concept? Could we not have more
> than 13 stable IP addresses in the net? Could we not leverage something
> like route servers in order to find the root of a local naming
> hierarchy?
> 
> Now that well-educated and technically sophisticated criminal groups are
> attacking the DNS on multiple fronts, we need to be looking at
> alternatives to DNS for naming hosts. We need to get such alternative
> systems out into the wild where they can be tested. To date, we have
> seen some small amount of innovative thinking around DNS that has been
> tested. For instance, alternative roots which have failed in the wild
> and anycasting which has been a great success. But these things do not
> address the core technical problems of the whole DNS system.
> 
> --Michael Dillon

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.arl.pirates
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/