Hacker News new | past | comments | ask | show | jobs | submit login

By definition a tree has a single root. Please specify what you mean be "roots".

The private key of the DNS root was split in seven parts held by seven people [1]. It is stored in two HSMs, one on the east coast of the United States, one on the west coast. Could the NSA or some other agency have gotten hold of the private key? Probably. But spinning that as "the DNSSEC root is controlled by the governments" is FUD.

[1] http://venturebeat.com/2010/07/28/seven-security-experts-get...




When DNSSEC says "bit.ly" is correct and valid, what organizations or entities could have messed with the results?


The concern that the Lybian TLD registry might fake NS and/or DS records of 2LDs applies equally to unsigned and signed zones. So if that is a concern, why use an untrusted TLD, or why use DNS at all?

If you do not trust the Lybian TLD, configure a negative trust anchor for that TLD in your resolver.

Alternatively, if you want to pin that TLD to a particular KSK, configure that KSK as a (positive) trust anchor in your resolver.

If you do not trust the IANA at all, disable the IANA root in your resolver and add trust anchors for the domains you trust. Use lookaside validation if you find that too cumbersome and want to let others do that work for you.


Why did you pick an example that does not use DNSSEC? It seems your thesis would be a lot stronger if you used a top and second level domain that actually implemented DNSSEC:

  root@fw:~# unbound-host  -t A -v bit.ly
  bit.ly has address 69.58.188.39 (insecure)
  bit.ly has address 69.58.188.40 (insecure)
More: http://dnssec-debugger.verisignlabs.com/bit.ly and http://dnsviz.net/d/bit.ly/dnssec/


I can't tell if you are trying to deliberately miss the point.

If those in charge of ly decided to implement dnssec, then who is in charge with respect to GP.


> Why did you pick an example that does not use DNSSEC?

Because I'm trying to illustrate how much additional security you might or might not get if you added DNSSEC, especially with regards to government entities.


The answer is "N/A." The .ly tld is not signed so DNSSEC could never attest to the authenticity of the A record for bit.ly.

In order for this to be a useful exercise you should structure the question in such a way that there is as much potential for government interference as possible. (Unless you are looking for a specific answer and you are trying to lead the respondent.) Government interference with DNSSEC is not limited to the `.` zone. Or put another way, DNSSEC's attack surface area is not limited to the sacred KSK.


If bit.ly implemented DNSSEC exactly to spec, and it appears clean to a user, who could be an attacker and in what way?


Anyone can be an attacker that can exert influence (legal/kinetic/digital) over:

  Here:        .
  Here:     .ly.
  Here: .bit.ly.
The attack surface of freebsd.org is similiar except there is a different set of actors that can exert legal influence over .org.

  Here:             .  # G/K/D same as bit.ly
  Here:         .org.  #   K/D same as bit.ly
  Here: .freebsd.org.  #   K/D same as bit.ly




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: