Where is Culpeper ? What are you doing there ? For the entire last two weeks, that’s the most common question I was asked. While there were a few thumbs up from people who knew what was going on, I tried to explain to other techies about DNSSec and the significance of the key signing ceremony. For others, I just resorted to saying that it’s a place near Washington DC where there was a technical meeting I had to attend. ‘DC’ and ‘meeting’ in the same line was enough explanation for them, me thinks.
While I am detailing the DNSSec protocol in laymen’s term further below, the signing ceremony was not different from a well written IETF protocol draft, where every actor had a role, and parts were scripted like it was an act on stage. The 35 pages long script will possibly be made public by ICANN in near future, but the attention to details, pedantic execution and timestamps at each step lasted almost seven hours. In seven hours, we incorporated the seven crypto officers and seven recover key share holders, initialized the HSM, generated the KSK, processed the request from Verisign and made arrangements for continuation of the procedure in the West Coast facility. From Verisign, we received the Key Signing Request, containing ZSKs generated by Verisign, signed those and returned them a Signed Key Response, they will use those ZSKs to sign the root zone. Exceptions were handled by the ceremony administrators with utmost care. The main ceremony was in a secure room with multiple secure layers involving a man trap at the second stage. The event was recorded, and was watched by more people in an external room in the same facility. We had an auditor present to keep notes of the proceedings, and a armed guard to make sure that we didn’t deviate.
I was one of the seven crypto officers selected for the East Coast facility, which is in Culpeper. In essence, at least three out of the seven crypto officers need to be present in future key signing ceremonies for the east coast. We hold safe keys where the crypto smart cards that will be needed to operate the key signing hardware every time new keys are generated and used for signing the root zone key are stored. So, in a way, for popular consumption, I now hold keys to the DNS system on the Internet.
As was noted by various people, this was quite a significant ceremony. This makes DNS -one of the most fundamental tenets of the Internet more secure. DNS has long been one of the most open protocols on the Internet, and over time a model of how successful protocol design works. The cryptographic signing of the root zone possibly indicates the changes that has happened to the Internet over the years, and the way it’s headed.
Personally, I think it was a great step forward, but at the same time I wonder if we continue the push to crypto- encrypt everything on the Internet, the free and wild wild west nature of the Internet will still be there in a decade or so. Only time will tell.
To give some background, DNSSec is short for Domain Name System Security Extensions. DNS is what links names like www.gaurab.org.np to Internet Protocol (IP) Addresses. IP addresses are like phone numbers on the Internet and DNS is the telephone directory. DNS is very widely distributed network of hierarchical servers spread around the world. For example, for www.gaurab.org.np, there are separate servers that handle the ‘org.np’ part and the ‘www.gaurab’ part. The ‘org.np’ part is spread out over as many as nine name servers all over the world. Of the nine, few are distributed even further with a technique called Anycast. That makes it potentially about 80 to 100 servers for ‘org.np’ who can tell an inquiring machine about ‘gaurab.org.np’. Further, ‘gaurab.org.np’ has three authoritative servers spread between USA and Nepal.
When you go further above ‘org.np’ then we end up in the root zone. If you think of DNS as a inverted tree with the root at the top, with country codes branches like ‘np’, ‘nz’, and gTLD branches like ‘com’ which then further branch out to ‘org.np’ , ‘com.np’ and so on, you get fairly close to the concept. The way the early DNS system was designed, there is no way to verify the integrity of the data you receive from these servers. With enough technical skills, someone in the middle can modify valid response and send false data. They can also pretend to be one of the servers and send bad data. There are also other known problems like cache poisoning that can inject false data into the Internet system.
To address this problem with maintaing the integrity of the data, DNSSec was developed many years ago. It’s been a known protocol for many years. DNSSec uses public key cryptography and embeds the information which can be used to cryptographically validate the response with each response. The bits included with each response is called a ‘signature’. Your computer, or ‘resolver’ as it’s called in DNS parlance, can then verify this information by comparing against well known set of published data. This process is called validating the response. If the signature doesn’t validate, then the resolver will not accept the response and try again. Of course, this is very simplified version of the entire process.
Despite being around for a while, the root or the top level of the DNS system wasn’t using DNSSec. The main issue that delayed it for so long was the ownership and management of the root zone cryptographic data. There were also other issues with DNSSec deployment that were identified and resolved in the mean time. But by 2009, many organizations were pushing for deployment. The Swedish ccTLD .se was one of the first ones to be signed. In mid 2009, .org – a major gTLD was signed. The pressure was on for the actors responsible for root zone management to sign the root.
It’s important to understand that unless the root zone was signed, the hierarchy couldn’t be verified. It meant the full benefit of using DNSSec wasn’t there. Sometime in 2009, IANA, ICANN, Verisign and NTIA all agreed on a way to get this done. They are the primary actors in the management of root zone management. Under the arrangement, Verisign – as maintainer of the root zone, was to keep and maintain the zone signing key (ZSK), and ICANN would issue and maintain the Key Signing Key (KSK), that would be used to cryptographically sign the ZSK.
The ceremony in Culpeper was where ICANN in the presence of 14 chosen community representatives as well as many other external witnesses created the KSK to be used for signing the root zone. And it accepted the first key signing request by Verisign to use the KSK to sign the ZSK. ICANN will maintain the keys in two different locations in the US. The signing ceremony in Culpeper was the first of the two and the second one will take place in Los Angeles on 12th July 2010. Once the keys are safe and the 7 more community representatives incorporated for the West Coast facility, the root zone will finally be signed on 15th July 2010. DNSSec will be in production after 15th July, 2010. A major milestone on maintaining the integrity or the domain name system and subsequently the Internet.
The details of the root DNSSec are on the http://www.root-dnssec.org/ site. It also includes names and details of all the community representatives and other actors in the process.