Home » Internet, Privacy & Security

Fantasy role playing has no place in DNSSEC

By 28 July 2010 10 Comments

UPDATE 8/2/2010There are no key holders to the Internet.

As a computer security professional who has written on the subject of security for years, I know first hand that security is one of the most bland subjects in the world even for a technology inclined audience.  I understand the need to “sex up” the subject with Drudge Report worthy headlines like “An Order of Seven Global Cyber-Guardians Now Hold Keys to the Internet” and I understand the temptation for some companies to ride the hype train.  But when media starts naming actual individuals (who see themselves as Gandalf) who hold 1/5th of the key escrow for restoring the root key of DNSSEC in case of emergency, it makes me cringe for the sake of that individual’s security and the security of DNSSEC.

UPDATE – Some have pointed out that the 5 key holders cannot recreate the private root key by themselves.  They only hold the key to the key and they have to go to the Hardware Security Module (HSM) that is storing the actual private key.  However, it’s still very dangerous to publish the names of the key holders because someone may attempt to bribe or threaten them.

If it’s relatively simple for Lee Murray to steal over $100 million from a high security bank warehouse, it isn’t much harder to steal 5 of 7 DNSSEC escrow keys if the key holders are named.  All the cyber or physical security measures in the world means little when one’s family is in grave danger.  The truth is that while it would be a major hassle to re-key the entire DNSSEC system if the escrow keys are ever compromised or if the root DNSSEC keys are destroyed, it’s really not going to bring down the Internet.  But if the media and “conventional wisdom” perceives this to be the case, it puts the escrow key holders at unnecessary risk.

There are many misunderstandings about this whole DNSSEC thing.  This Gizmodo blog stated:

“The basic idea is that in the event of an Internet catastrophe, the DNSSEC (domain name system security) could be damaged or compromised and we’d be left without a way to verify if a URL is pointing to the correct website.”

Aside from the fact that the media is conflating DNSSEC with “the Internet” or “the World Wide Web”, the Internet and World Wide Web won’t stop working if the DNSSEC root keys are destroyed.  DNSSEC facilitates a new key distribution and key verification method that can potentially stand in place of our existing SSL infrastructure which is responsible for all the “HTTPS” prefixes you see when you visit your secure online banking website.  In fact, DNSSEC hasn’t really be deployed in this manner and probably won’t be for the forseeable future since you need a current OS like Windows 7 to be able to even understand DNSSEC.

So the worst thing that can happen at the moment is that we simply revert to the way the Internet was before July 15th 2010 when the DNSSEC root keys were first deployed.  The last time I checked, the Internet didn’t come to an end before that date.  The media is essentially reporting that problems with a system that has yet to be adopted would bring the World Wide Web down.

DNSSEC wouldn’t just stop working in an emergency

If we actually lost the DNSSEC root keys, we would probably still have the subordinate key signers which wouldn’t expire for years.  We wouldn’t be able to give birth to new subordinate key signers until we recovered the root keys from the 5 of 7 key escrow holders.  But even if we lost the root and subordinate private keys simultaneously, a Public Key Infrastructure (PKI) system like DNSSEC would still function in the sense that the end points could still verify all existing DNSSEC keys until they expire (though we could even ignore the expiration since the keys are most likely valid).  We would only lose the ability to sign new DNSSEC domains until at least the subordinate keys have been recovered.  So if someone signed up for a new domain name, key signing would be offline.

Now let’s say we manage to lose 3 of 7 escrow keys and the root keys at the same time or if 5 of 7 escrow keys were compromised such that some malicious person now has the ability to recreate their own evil DNSSEC root key.  That would mean we would have to re-key the entire DNSSEC system just like we did now for the first time.  While that requires pushing out a very small update to the whole world (think of this as changing out all the locks), it doesn’t mean end the Internet.  But by publishing the names of the escrow key holders, the possibility of having to “change all our locks” becomes more real.

Update – I’ve been asked to offer a more laymen version of this story so I’ve come up with the following.  Apologies for getting too geeky.

  • DNS or Domain Name System is like the “yellow pages” of the Internet.  Not having it doesn’t technically stop you from reaching the places you want to go, but you’ll have a hard time finding the addresses of places you want to go.  When we go to amazon.com, the actual address is but I only knew that because I was able to ask DNS.
  • PKI or Public Key Infrastructure is a technology that facilitates security electronics communications.  It allows us the know that the person or device we’re speaking to on the other end of the network is who or what they say they are and it affords us privacy against snoopers.  Technology like Secure Socket Layer (SSL) is a form of PKI.  SSL is what current secure online websites with the “HTTPS” prefix use.  Getting even geekier, SSL uses a specific type of PKI called X.509 which is used PKI certificate authorities like Verisign or Entrust.
  • DNSSEC is a secure version of DNS that with PKI technology built it, and it can potentially be a better and more scalable substitute for the existing X.509 based SSL systems.  Future SSL could be based on DNSSEC instead of X.509.
  • DNSSEC, like other PKI systems, has a root key that creates all other keys.  Think of this as the master key.  There are typically subordinate master keys that are delegated the task of giving birth to other keys.  The root key is broken down into a public and private key.  The private key is the only key that can be used to create new keys, but the public key is known by every computer on the planet and it is used to verify the authenticity of other keys that were given birth by the one private key.
  • If that root key is destroyed or revealed to the bad guys, every computer on the planet would have to be given a new set of public keys.  This can be done automatically through things like Microsoft Windows Update.
  • As a mitigation of destroyed root keys, we can have a key escrow (recovery) system.  But we don’t want a single person to be able to recreate their own keys so we give the keys to 7 people and any 5 of them can recreate the private root key.  Having these 7 people however increases the possibility of the bad guys obtaining the private root key especially if the escrow key holders are named publically.  It’s amazing what a Glock .45 pointed at the head could achieve.
  • Unfortunately, one of the 7 key holders in the UK (who fancies himself as Gandalf or the “Order of Seven”) was publically revealed.
  • The reality is that a compromised key just means we’ll be forced to run our monthly Windows Update patches earlier, but it does NOT mean that the Internet stops working.  That doesn’t sound as dramatic as “the Internet would come to a halt” or “the Internet needs to be rebooted” and it doesn’t get you on the front page of the Drudge Report.


  • David Ulevitch said:

    Exceptionally well said.

  • George Ou (author) said:

    Thank you David.

  • Franck Martin said:

    They got it wrong, the Internet will come to a halt in one year when there is no more IPv4 and it needs to be rebooted in IPv6!

    Just kidding, some good explanations.

    I think publishing the list of the key holders serves two purposes:
    1) to show they are not all Americans
    2) if a glock .45 is pointed at them, more likely someone will notice

  • patrick giagnocavo said:

    Is it not therefore likely that Paul Kane will be replaced? Or how do we even know that Paul is in fact one of the holders – he could be a decoy or a bit player like say, Radagast the Brown or Wormtongue.

  • George Ou (author) said:

    @ Frank Martin

    If a .45 is pointed at one of their loved family members in some other location, I’ll bet you could get them to “voluntarily” go in and grab the necessary key.

  • Ram said:

    Great post! Well done.

  • grayhat said:

    You complain about ONE name revealed by BBC ?

    I think you’d better complain about ALL the names
    kindly revealed by IANA in this publicly available
    PDF document


    just in case, here’s the list

    RKSH1 Moussa Guebre /BF
    RKSH2 Ondrej Sury /CZ
    RKSH3 Paul Kane /UK
    RKSH4 Jiankang Yao /CN
    RKSH5 Bevil Wooding /TT
    RKSH6 Norm Ritchie /CA
    RKSH7 Dan Kaminsky /US

    cool (not) huh ?

  • Digital Society » Blog Archive » There are no ‘key holders’ to the Internet said:

    […] }); }In a post last week “Fantasy role playing has no place in DNSSEC“, I pointed out that the media is conflating the “Internet” and the “World […]

  • rick said:

    Thank you George for setting the record straight.
    In fact, loosing even all 7 cards does not compromise the root key. True this would be a pain to have to get all the cardholders to travel again to recreate new cards (with different material on them) but since there is no piece of the root key on them, there is no compromise.
    Furthermore, if both root key managment sites did fall into the ocean, a few months are available to call 5 of 7 of the card holders to reinitialize an HSM with the right information. So Internet users would not even notice.
    It is IMHO that by geographically distributing control of this key accross 21 (18 are non-US) members of the Internet community – not 7 – that we both protect these credential holders and minimize the risk to the root key.

  • Marsh Ray said:

    You got a better idea?