Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

DNSSEC – will the Trust Anchor Repository (TAR) make a difference?

June 20th, 2008 · No Comments ·

    … In making a large portion of the global Internet shift to the DNS root trust anchor that the US government intends to continue to oversee. This will support secure DNS resolution, however, at what price. Could it mean a further entrenchment of US national security interests in the current DNS structure? If so, how can this be avoided in the interest of the global user community?

Just so we are on the same page, DNSSEC is a public/private key system. This means that the owner of a DNS zone has:

– a private key and
– a public key.

Using the private key to digitally sign a zone will allow anyone with the zone’s public key to verify that data is authentic.

Accordingly, one must be careful with one’s private key since if an attacker can intercept it, the entire zone is compromised.


DNSSEC relies on a public/private key system, and that type of system typically does NOT scale well – Internet-wide.

DNSSEC – Domain Name System (DNS) Security ExtensionsDNSSEC

Recently, some people have began to discuss what can be done to improve the situation and last year this report was published

VeriSign’s DNS expert, Dr. Phillip Hallam-Baker’s comments on the IETF list – 2007-08-30

The above contribution describes the political implications of signing the root using DNSSEC. The author also called for sharing the signing authority.

The Politics of DNSSEC: The Light Begins to Dawn at IETF

The legitimate opinion that DNSSEC is *just* digital signatures on DNS entries should be supported by more precise procedural guidance on deployment at the root. If it is that easy to apply the technology in a policy-deprived way, I wonder who can tell me how to work it properly.

One response has been coming from the idea of using a Trust Anchor Repository or DNSSEC-TAR for short. A paper was published this month explaining the challenges in a bit more detail:

A Trust Anchor Repository (TAR) refers to the concept of a DNS resource record store that contains secure entry point keys – here called trust anchors – for one or more zones. In turn, the TAR provides the means for a DNS validating resolver to fetch Trust Anchor information for a number of zones in some reliable manner without having to manage this information locally.

The reason for having a TAR in the first place is that since we have deployed DNSSEC in an ad-hoc manner, we need to connect the many what some call ‘islands of trust’ (e.g., Sweden .SE) in the largely unsecured DNS world.

For instance, the .COM, the root zone remains unsigned for various economic and politcal reasons. As well, various actors interested in getting DNSSEC deployed widely have pushed for the TAR option.

Nevertheless, the above report including the post about the report below raise a few questions about the practicability of this approach:

Will a Global TAR make DNSSEC stick?

Care to leave a comment below, how do you see it? Progress, failure, difficulties please share.

Additional resources about DNSSEC – check it out:
InfoSec InfoSec – follow us on Twitter sign up to our alerts about zero-day exploits and newsletters here
NIST Domain Name System Security (NSSEC Project
Internet Governance Project – search for DNSSEC material

What we released on Twiter today – white paper ENISA:


→ No CommentsTags: begins · dawn · dnssec · ietf · light · politics