back to article DNSSEC: the internet's International Criminal Court?

The DNSSEC protocol could have some very interesting geo-political implications, including erosion of the scope of state sovereign powers, according to policy and security experts. “We will have to handle the geo-political element of DNSSEC very carefully,” explained Peter Dengate Thrush, a New Zealand patent attorney and …


This topic is closed for new posts.
  1. Pete 8


    It will make it harder for countries to censor or block, so they will have to ask Uncle Sam to do it for them.

    1. Ken Hagan Gold badge

      Re: So

      Since not all the root servers are on US territory, and hardly any of the country code TLDs are, I think Uncle Sam is no better placed than before to start censoring (say) Russian or Chinese traffic.

  2. Anonymous Coward

    Mandatory surveillance for everybody, now named "DNSSEC"

    "DNSSEC standard – which allows Internet servers to confirm that data sent over the Internet came from a specific source "

    Making RIAA/MPAA happy.

    That's the primary function of this "standard".

    Of course this "standard" will be mandated from US, so no dissidents in EU or elsewhere allowed. This will make NSA happy and no need to ask anybody else.

    1. Jim Morrow

      more DNSSEC FUD

      does it fuck. secure dns means you can verify answers from the dns. so if was signed, the world would be able to prove that the ip address of the web server really was what the dns admin said it was.

      and it's not being mandated from the us either. the first top-level domain to be signed was sweden.

    2. prathlev

      @AC 04:17

      Please read up on what DNSSEC is. It gives the client a cryptographically safe way of determining if the DNS answer came from a "trusted" source, just like SSL certificates.

      It will not make it any easier to track you (yes YOU Derek) on the Internet than it already is.

  3. Anonymous Coward

    Easy to imagine what will happen.

    “will change the Internet in ways we can not yet imagine."

    Yes we can: It will be like TV now: No sending anything without permission from state and everybody having an IP must registered in local police office or else: 10 to life in prison.

    Also sendings are thoroughly controlled by state and media moguls, individuals are not allowed to send anything, it will be a crime.

    Do not underestimate laws that money can buy: Every copyright law in existense is bought by heavy bribery and are those guilty prosecuted or even investigated?

    No, of course not. Bribery on the highest level is the norm, not the exception: These are the people how are immune to bribery charges and so they take so much as they can, while they are that position.

    That's why they want a very, very small amount of people administering this so called secure DNS: Much cheaper to buy 10 people than 100.

  4. Anonymous Coward
    Thumb Down

    Let me guess

    That's part of the Obama's plan to re-gain control over the internet? So that only the US can fake DNS replies (using certificates gained via administrative subpoenas)?

  5. Christian Berger

    Come on people

    This is just DNS not the internet. DNS already was a semi-closed hirarchical system governed by politics. So not much will change, other than DNS-spoofing will get somewhat harder. Therefore many forms of internet censorship will, too.

  6. amanfromMars 1 Silver badge

    Howlers and Gems, ... an Odd Mix in Support of Reciprocal Need Feed.

    "“The Internet has the capacity to dilute some aspects of sovereignty,” he said, " ....... I would like to propose that as the Misunderestimation of the Virtual Age.

    Oh, by the way, the Internet and IT Boffins also have the facility to drain and redistribute it with some aspects of sovereignty which are critically and strategically Missing in Action/AWOL , which is totally consistent with Civil Service Guidance and Support of Royal Charade Great Game.

    With the Source of that Guidance and Support not Necessarily/Unnecessarily Known with ITs Being, Stealth Phantom Proxies into Greater Great Game Play Action.

    Sovereignty without Royal Action is a Ponzi and a Fraud Perpetrated by Petrified Inaction Supplied by Public House/Royal Household Staff Intelligence.

    Fortunately, although somewhat disruptively, is Information for Intelligence Ubiquitous InterNetworking, and thus is All known to All who would Search to Know All and Discover instead the Knowledge Geyser ..... The Holy Grail for Advancing Intelligence ..... Quintessential Cosmic Source .... with Quantum Control of Communications and Sublime Prime Time PreTexting.

  7. Ken Hagan Gold badge


    Before the tinfoil brigade overwhelm this debate, let me point out something so obvious that the author didn't bother to state it explicitly. DNSSEC "allows Internet servers to confirm that data sent over the Internet came from a specific source", BUT ONLY DNS data.

    So all of you pirates distributing content in the optional advisory information at the end of DNS packets will have to switch over to a different scheme such as, oh I don't know, HTTP or BitTorrent.

  8. Anonymous Coward
    Anonymous Coward

    Real timely, that

    Could have, and bloody well should have, raised this well before. But too many techies use ``it is a political issue'' as an excuse to not think about the consequences. Thanks so much, Dan.

    When will America wake up to the fact that American Government and American Commercialism are not world wide gold standards for trust? Especially for the internet, which still is a cooperative and still has ``the community'' as gold standard. DNSsec owned by the USoA government (however indirectly) and run by a by-definition-and-provably-too crooked US company isn't just disagreeable for China. Going about it this way is a short-sighted and short-term ``fix'' that simply won't do in the long term. Running out of IPv4 space is much, much easier to fix even should we have to go back to the drawing board first because IPv6 suffers from massive second system defects. Despite all the politicking there, it's mostly a technical issue. DNSsec, by contrast, opens the floodgates of distrust and conspiracy theories. And we all know what that means on the internet.

    1. Jim Morrow

      more DNSSEC FUD

      dnssec is not owned by the us government. the protocol is controlled by the ietf. implementing and operating it is an opt-in process. nobody can force you to use dnssec or sign your zones. it's not "run by a by-definition-and-provably-too crooked US company" either. you'd know this if you had the slightest clue about how dnssec or how it is being handled at the root.

      access to the root zone's dnssec material is shared by a group of trusted community representatives. this is designed so that (a) no one person or organisation has "control"; (b) everyone can have confidence in how the root zone gets signed. take a look at

      oh and btw your comments about ipv6 are utter bullshit. besides, there's no time to "go back to the drawing board" and fix whatever you claim is broken in ipv6. strange nobody else is suggesting ipv6 is so badly broken and needs radical overhaul. oh well.....

      the world runs out of ipv4 in about 2 years. that's not long enough to get a new fundamental protocol specification out of the ietf. and once that's done the real work begins: there's the time for implementing the new protocol, conformance and interoperability testing, deploying and operating it, inventing a way to distribute addresses, extending routing protocols and router configurations to deal with the new protocol, adding new address records to the dns, getting name/web/whatever servers use these new addresses, etc, etc.

      i suggest you get yourself a second tinfoil hat. one is clearly not enough to deflect the mind control rays that emanate from your arse.

      1. Anonymous Coward
        Anonymous Coward

        Aw shucks

        The only governmental body that has its tentacles in the root zone is, by various ways, still THAT one. Not the just-short-of-200-odd other ones, that one. That alone is enough to make the thing highly suspicious. I don't really care how you think that particular threat is mitigated. It's there, that's enough. No, I'm not advocating any other government or governmental body take over. The only alternative I'd consider fit for purpose is something like a community-elected council.

        Seeing the general level of knowledgeability here it's not surprising that the finer points are regularly lost on the audience, and oh yeah, most of the hard parts are politics, causing techies' eyes to glaze over, as evidently did yours. IPv6 does have a couple problems, deep nasty design ones, that are popping up now that widespread deployment on an unfriendly internet is imminent. I was actually attended to some of them by someone who does traffic engineering for a living.

        You drank the kool-aid, alright. I didn't. You don't have to agree that the things coming up on the road ahead are in fact bears. The USoA may be the world's best friend too.

  9. Anonymous Coward

    hotsport/captive portals?

    ..and how will this system mess up clients who are directed to eg secure captive portals when they try to join a wireless network (thinking your classic coffeeshop/BTopenzone etc places?

    i do a lookup for and get directed to with some plain DNS answer but my client is expecting the DNS to be properly signed et al?

    thats a LOT of interesting side effects that we network admins will have as headaches next year :-(

  10. Paul Landon

    Any others

    First "the Internet’s root, with an expansion out to dot-edu, then dot-net and finally to the dot-com registry".

    Are there any other registries? ;)

  11. Anonymous Coward

    Consume or be damned

    Who collects the "lost sovereignty" ? Is there another color recycle trash bin for that ?

    If Google buys Greece then Google becomes Greece, not the other way around. Somebody needs to tell the movers and shakers in the Davos crowd that Davos just plain likes rich stupid tourists at that time of year, but act like that any other time and the kitchen staff will spit in your food.

    This "lost sovereignty" thing is another multi-national corporation nocturnal emmission.

  12. Peter 39

    up the wrong tree

    Folks - put the conspiracy theories aside. This is to make sure that DNS data is correct.

    Were none of you awake when DNS-cache-poisoning was rampant? Does no-one remember the problem about port predictability?

    There are things that can possibly compromise DNS lookups and this solves some of them.

    There may well be evil plots being hatched but *this* is not one of them.

  13. stupormundi

    dengate thrush

    what an awesome name

This topic is closed for new posts.