EPIC Supports PIR DNSSEC proposal for .ORG
Comments of the Electronic Privacy Information Center (EPIC) on the Public Interest Registry (PIR)'s proposed implementation of DNS Security Extensions (DNSSEC) in .ORG May 24, 2008 Washington, DC IntroductionThese comments provide the viewpoint of the Electronic Privacy Information Center (EPIC) on DNSSEC in response to your Request for Proposal on the Public Interest Registry's proposed implementation of DNSSEC in .ORG, as mentioned on http://www.icann.org/announcements/announcement-23apr08.htm .
DNSSEC will significantly improve the authentication of the servers that provide domain names and therefore the paths to websites and other Internet services for end users. Whereas an Internet user with unsecured DNS can only guess about the authenticity of the server which provides his browser with the IP address for a given domain name, with DNSSEC users can validate the identity of the DNS server. This provides enhanced security for end users, as it becomes increasingly difficult for criminals to act as a benign DNS server. Phishing involves three steps: setting up a fraudulent web site to collect information, getting people to go to the site (usually via spam), and collecting the information. Directing users to the fraudulent website becomes increasingly difficult if users only use authenticated DNS servers.
EPIC has previously stressed the importance of privacy protectionn and transparency for a wide range of Internet standards, including Microsoft Passport, the P3P protocol, and WHOIS. Whether it is data collection, processing, or dissemination, user privacy is served by transparency of these services. EPIC supports the enhanced transparency that DNSSEC provides. Our comments will focus on two issue: policy surrounding DNSSEC; and DNSSEC technology. Section two focuses on policy issues as the owner of the root zone key, user transparency and education and the broadness of security DNSSEC provides. In Section three, we focus on the most important technology issue from a privacy perspective. EPIC provides a short conclusion and recommendations in section four.
2. Policy surrounding DNSSEC Fully inform users about the reach of the DNSSEC protocolTransparency for the user about DNSSEC's processes is the first step to creating a better understanding for users about how to use the Internet and specifically browse the web more securely and safely. It is important that users understand the extent to which DNSSEC improves security on the Internet. Users should understand that DNSSEC authenticates the mapping between the IP address and the DNS name, but it doesn't verify the intent with which the DNS server issues the address. In other words, a user could still be tricked into visiting a malicious website by clicking on a domain name that looks like a legitimate domain but is in fact not—for example, the domain mybank- security.com instead of mybank.com. With DNSSEC a DNS server can also still provide a spoofed IP address by simply not providing digitally signed response, or by providing a response with an incorrect signature; users will need tools that can warn the user that a domain name that is normally signed is suddenly not signed, or that the signature is incorrect. The problems that users face here will be similar to the problems that users face today when visiting websites with invalid SSL certificates. EPIC is confident that future tools will be able to do a better job protecting users using the security information that DNSSEC will provide.
Promote transparency of DNSSEC for end usersThe implementation of DNSSEC at the user interface is critical to how users will experience DNSSEC's security and privacy features. Human judgment is essential when users consider the implications of a service on their privacy. Relying on a system alone, without human judgment to utilize DNSSEC requests, makes the user vulnerable to errors in the system. EPIC proposes the development and endorsement of a transparent and user-friendly way to help users verify a DNSSEC request and help them make judgments on the trustworthiness of other requests. Such an interface would transport the transparency of DNSSEC to the end user and allow him to make informed decisions regarding security and privacy. An example of such a visualization is the Firefox Drill extension: http://www.nlnetlabs.nl/dnssec/drill_extension.html .
Any entity that owns root zone should be transparent about its intents and activities and be held accountable for its actions
The root zone provides the highest level of authentication on DNSSEC from which lower zones derive their authenticity. The proposal now states that PIR will self-sign the .ORG zone initially. As Bernard Turcotte (president of the Canadian Internet Registration Authority) pointed out, the owner of the root zone has significant power over the DNS and DNSSEC. EPIC proposes that any entity owning or regulating the keys in the root zone is transparent about its intent and activities concerning DNSSEC and installs procedures to be held accountable for its actions regarding DNSSEC.
3. Technology issues with DNSSEC Attach NSEC3 to DNSSEC in .ORG and audit security of systemAs presently envisioned, DNSSEC is set up to respond to a request for a non-existent domain name with an authenticated denial of existence report. EPIC stresses that information about which domain names do and do not exist greatly increases the probability of security breaches. The attachment of the NSEC3 protocol, which provides an encrypted response to a query of a non-existent domain name, would guarantee that information about which DNS names do and do not exist is not returned to users in a way that increases the network's exposure to security breaches. EPIC supports the proposed attachment of NSEC3 to DNSSEC and we would like to stress that an audit of the security that DNSSEC with NSEC3 provides is essential for increasing the security of the DNS.
4. ConclusionEPIC supports the PIR initiative to establish DNSSEC for the .ORG domain. The implementation of DNSSEC for the .ORG domain is a promising step to make the Internet more secure and transparent for end users. EPIC supports this transparency, because users will be more informed about the websites they are surfing, the FTP sites to which they connect, and the mail servers through which they send messages..
EPIC has the following comments about implementing DNSSEC for the .ORG domain:
Fully inform users about the reach of the DNSSEC protocol Promote transparency of DNSSEC for end usersAny entity that owns root zone should be transparent about its intents and activities and be held accountable for its actions
Attach NSEC3 to DNSSEC in .ORG and audit security of systemEPIC hopes that the implementation of DNSSEC in the .ORG domain will lead to a more secure and transparent way for end user to use the Internet. We recommend a thorough evaluation of the implementation and when the results are positive, research possible extensions of DNSSEC to other domains on the Internet.
Marc Rotenberg, Executive Director David Riphagen, Research Assistant Electronic Privacy Information Center (EPIC) Washington, DC. www.epic.org REFERENCES ICANN Opens Comment Period on PIR's Proposed Implementation of DNSSEC http://www.icann.org/announcements/announcement-23apr08.htm Proposed PIR Amemdment, (3.1c(i) of the .ORG Registry Agreement) http://www.icann.org/tlds/agreements/org/proposed-org-amendment-23apr08.pdf EPIC, DNSSEC http://epic.org/privacy/dnssec/default.html EPIC Alert, “.ORG to Pursue DNS Security Standard,” (May 15, 2008) http://www.epic.org/alert/EPIC_Alert_15.10.html