

The internet has a huge security problem that's temporarily fixed with bent paperclips and some gaffer's tape. Without concerted effort, hackers could easily spoil what little confidence remains in the internet.

In fact, cyber-criminals are already exploiting the Domain Name System hack uncovered by security researcher Dan Kaminsky this summer -– essentially setting up fake banking websites that users reach by typing in their bank's real domain name. (That's according to research by Georgia Tech's David Dagon and Internet System Consortium's Paul Vixie.)

That's why the U.S. government finally put out a call Thursday for comments on whether the net as a whole should adopt new security protocols called DNSSEC, and asking who should have the privilege of controlling the master keys.

Two longstanding net infrastructure rivals – ICANN and VeriSign -– each want the job.

Internet experts are siding overwhelmingly with ICANN, arguing that the crucial responsibility of making sure users can trust the technical equivalent of the internet's phone book belongs in the hands of the net's main oversight body.

ICANN, a non-profit entity that handles internet name and address issues, argues it should have the job of changing the root zone file, and as the one making the changes, is the only one that can honestly put the official wax seal on it.

That proposal (.pdf) expands its current responsibility and removes the

U.S. Commerce Department's role in approving changes every day. It would also reduce the role of VeriSign in the process.

Not surprisingly, VersiSign, the for-profit internet infrastructure company that runs the dot-com and dot-net top level domains, thinks it should be in charge of vouching for the accuracy of the net's master directory document, known as the root zone file.

In Verisign's proposal, ICANN would hand off validated edits to

VeriSign, which would create the file, and conscript a number of the operators of the net's root servers to sign off on the authenticity.

That makes no sense to Rob Seastrom, a longtime net hand who has run

ISPs, serves on the ARIN advisory board, and currently working on building EDGE networks for a stealth start-up.

"The whole concept of signing is that you are attesting that this is the right data, so it seems to me, the proper organization to sign the data is the one that created it," Seastrom said

Seastrom compares the signing process to testifying in court –-

where one can swear to the truth of what he saw or did, but one can't testify to hearsay.

Seastrom also remembers what he calls the "Site Finder debacle" of 2003 where VeriSign unilaterally decided to serve ads to users who typed in a non-existent dot-com domain name, rather than return an error as internet specifications dictate.

"VeriSign would be completely nonstarter [as root signer] for any one that remembers that hack," Seastrom said, adding that any for-profit entity with financial interests in the contents of the zone file should be not be signing it.

VeriSign turned Site Finder off within weeks, following legal threats from ICANN, though it later sued

ICANN itself. The suit settled in 2005, with VeriSign horsetrading Site

Finder for an extension of its control over the .com.

Google vice president Vint Cerf

–- one of the net's fathers and the former chairman of ICANN –- argues that ICANN – which manages the internet technical body IANA –- is the right choice.

[T]he agency (Internet Assigned Numbers Authority)

responsible for collecting changes, additions and deletions to the root zone file AND CONFIRMING THEIR VALIDITY should generate and digitally sign the resulting root zone file update. This should then be passed to

VeriSign for distribution. This particular choice of operation allows the agency that prepares the changes to insure the integrity of the new zone file before it leaves IANA. Alternatives to this practice leave open more potential for error. In any case, it is vital that the root zone file be digitally signed so that resolvers can be assured that the information they get from the root servers has high integrity.

Bill Woodcock, the research director at the non-profit Packet Clearing House, argues that having ICANN sign the root is just a matter of smart security practices – having the key close to the data being verified.

"ICANN is the one whose name and authority are on the line,"

Woodcock said. "VeriSign would just be rubber-stamping something that they had no idea of the validity of. Conversely, ICANN would have no idea whether VeriSign were signing their name to something they'd fraudulently changed."

As for Columbia University professor Steven Bellovin, who says he was one of the ones who invented the DNS contamination attacks, he says he's "glad there's finally movement towards a real defense."

The Commerce Department is collecting comment from the public through November 24 via a Notice of Inquiry.

VeriSign offered on Thursday to connect Threat Level with a top executive, but has not been in contact since.

Photo: MagnetBox/Flickr

See Also: