EPIC Supports PIR DNSSEC proposal for .ORG

[Marc Rotenberg <rotenberg@xxxxxxxx>]

Comments of the Electronic Privacy Information Center (EPIC) on the

Public Interest Registry (PIR)'s proposed implementation of

DNS Security Extensions (DNSSEC) in .ORG



May 24, 2008

Washington, DC



Introduction

These comments provide the viewpoint of the Electronic Privacy  
Information Center (EPIC) on DNSSEC in response to your Request for  
Proposal on the Public Interest Registry's proposed implementation of  
DNSSEC in .ORG, as mentioned on http://www.icann.org/announcements/announcement-23apr08.htm 
.
DNSSEC will significantly improve the authentication of the servers  
that provide domain names and therefore the paths to websites and  
other Internet services for end users. Whereas an Internet user with  
unsecured DNS can only guess about the authenticity of  the server  
which provides his browser with the IP address for a given domain  
name, with DNSSEC users can validate the identity of the DNS server.  
This provides enhanced security for end users, as it becomes  
increasingly difficult for criminals to act as a benign DNS server.  
Phishing involves three steps: setting up a fraudulent web site to  
collect information, getting people to go to the site (usually via  
spam), and collecting the information. Directing users to the  
fraudulent website becomes increasingly difficult if users only use  
authenticated DNS servers.
EPIC has previously stressed the importance of privacy protectionn and  
transparency for a wide range of Internet standards, including  
Microsoft Passport, the P3P protocol, and WHOIS. Whether it is data  
collection, processing, or dissemination, user privacy is served by  
transparency of these services. EPIC supports the enhanced  
transparency that DNSSEC provides. Our comments will focus on two  
issue: policy surrounding DNSSEC; and DNSSEC technology. Section two  
focuses on policy issues as the owner of the root zone key, user  
transparency and education and the broadness of security DNSSEC  
provides. In Section three, we focus on the most important technology  
issue from a privacy perspective. EPIC provides a short conclusion and  
recommendations in section four.
2. Policy surrounding DNSSEC

Fully inform users about the reach of the DNSSEC protocol

Transparency for the user about DNSSEC's processes is the first step  
to creating a better understanding for users about how to use the  
Internet and specifically browse the web more securely and safely. It  
is important that users understand the extent to which DNSSEC improves  
security on the Internet. Users should understand that DNSSEC  
authenticates the mapping between the IP address and the DNS name, but  
it doesn't verify the intent with which the DNS server issues the  
address. In other words, a user could still be tricked into visiting a  
malicious website by clicking on a domain name that looks like a  
legitimate domain but is in fact not—for example, the domain mybank- 
security.com instead of mybank.com. With DNSSEC a DNS server can also  
still provide a spoofed IP address by simply not providing digitally  
signed response, or by providing a response with an incorrect  
signature; users will need tools that can warn the user that a domain  
name that is normally signed is suddenly not signed, or that the  
signature is incorrect. The problems that users face here will be  
similar to the problems that users face today when visiting websites  
with invalid SSL certificates. EPIC is confident that future tools  
will be able to do a better job protecting users using the security  
information that DNSSEC will provide.
DNSSEC also does not assure that legitimate websites do not misuse the  
user’s information once it is received. For example, DNSSEC does not  
protect consumers against websites that receive confidential  
information and then share it in violation of the site’s posted  
privacy policy. Users should be informed that DNSSEC doesn't protect  
against this type of fraud.
Promote transparency of DNSSEC for end users

The implementation of DNSSEC at the user interface is critical to how  
users will experience  DNSSEC's security and privacy features. Human  
judgment is essential when users consider the implications of a  
service on their privacy. Relying on a system alone, without human  
judgment to utilize DNSSEC requests, makes the user vulnerable to  
errors in the system. EPIC proposes the development and endorsement of  
a transparent and user-friendly way to help users verify a DNSSEC  
request  and help them make judgments on the trustworthiness of other  
requests.  Such an interface would transport the transparency of  
DNSSEC to the end user and allow him to make informed decisions  
regarding security and privacy. An example of such a visualization is  
the Firefox Drill extension: http://www.nlnetlabs.nl/dnssec/drill_extension.html 
.
Any entity that owns root zone should be transparent about its intents  
and activities and be held accountable for its actions
The root zone provides the highest level of authentication on DNSSEC  
from which lower zones derive their authenticity. The proposal now  
states that PIR will self-sign the .ORG zone initially. As Bernard  
Turcotte (president of the Canadian Internet Registration Authority)  
pointed out, the owner of the root zone has significant power over the  
DNS and DNSSEC. EPIC proposes that any entity owning or regulating the  
keys in the root zone is transparent about its intent and activities  
concerning DNSSEC and installs procedures to be held accountable for  
its actions regarding DNSSEC.
3. Technology issues with DNSSEC

Attach NSEC3 to DNSSEC in .ORG and audit security of system

As presently envisioned, DNSSEC is set up to respond to a request for  
a non-existent domain name with an authenticated denial of existence  
report. EPIC stresses that information about which domain names do and  
do not exist greatly increases the probability of security breaches.  
The attachment of the NSEC3 protocol, which provides an encrypted  
response to a query of a non-existent domain name, would guarantee  
that information about which DNS names do and do not exist is not  
returned to users in a way that increases the network's exposure to  
security breaches. EPIC supports the proposed attachment of NSEC3 to  
DNSSEC and we would like to stress that an audit of the security that  
DNSSEC with NSEC3 provides is essential for increasing the security of  
the DNS.
4. Conclusion

EPIC supports the  PIR initiative to establish DNSSEC for the .ORG  
domain. The implementation of DNSSEC for the .ORG domain is a  
promising step to make the Internet more secure and transparent for  
end users. EPIC supports this transparency, because users will be more  
informed about the websites they are surfing, the FTP sites to which  
they connect, and the mail servers through which they send messages..
EPIC has the following comments about implementing DNSSEC for the .ORG  
domain:
Fully inform users about the reach of the DNSSEC protocol
Promote transparency of DNSSEC for end users
Any entity that owns root zone should be transparent about its intents  
and activities and be held accountable for its actions
Attach NSEC3 to DNSSEC in .ORG and audit security of system

EPIC hopes that the implementation of DNSSEC in the .ORG domain will  
lead to a more secure and transparent way for end user to use the  
Internet. We recommend a thorough evaluation of the implementation and  
when the results are positive, research possible extensions of DNSSEC  
to other domains on the Internet.
Marc Rotenberg, Executive Director
David Riphagen, Research Assistant
Electronic Privacy Information Center (EPIC)
Washington, DC.
www.epic.org


REFERENCES

ICANN Opens Comment Period on PIR's Proposed Implementation of DNSSEC
http://www.icann.org/announcements/announcement-23apr08.htm

Proposed PIR Amemdment, (3.1c(i) of the .ORG Registry Agreement)
http://www.icann.org/tlds/agreements/org/proposed-org-amendment-23apr08.pdf

EPIC, DNSSEC
http://epic.org/privacy/dnssec/default.html

EPIC Alert, “.ORG to Pursue DNS Security Standard,” (May 15, 2008)
http://www.epic.org/alert/EPIC_Alert_15.10.html