The Politics of Alt Roots.

Today I started a small twitter dust-up with Dan Kaminski, Jacob Applebaum and others after Dan Kaminski asserted via Tweet that DV (Domain Validation) needed to be moved to DNSSEC. I just couldn't let that one go by without chiming in.

Alt-Roots are to the DNS like Nuclear Weapons are to nations. They're big scary things that everyone around hopes will never ever be used -- but like the Nuclear Deterrent Alt-Roots are of extreme importance to internet geopolitical stability.

DNS is a simple system which is increasingly full of complicated politics. Some nations want to ban adult content (Saudi Arabia), others politically critical speech (Iran, China), hate speech (Canada), and linking to intellectual property (USA)... as nations we all have different thresholds for where free speech ends and censorship begins.

Right now, the USA and its delegates operate the root-zone, and most of the gTLDs. They generally wont agree to shut down specific gTLD ( ) domains based on the interests of other nations. However, a recent development has emerged where the US is shutting down domains for its own censorship policy goals -- that is to combat the crime of "contributory infringement of intellectual property" (eg hyper-linking to potentially unauthorized copyrighted works). This 'crime' isn't considered a crime in most parts of the world -- especially in Canada and in Spain. Yet, recently we've seen a Spanish domain removed from the Internet by the US in spite of its legality in our jurisdictions. Canadians are being blockaded from content that has not been found illegal in Canada and that has been specifically found legal in Spain. This seizure was an act performed as part of 'Operation in Our Sites', an action which I consider to be a US net sovereignty exercise.

The problem in this for me is that US doesn't own the root-zone, nor the GLDs -- rather, anyone can setup these infrastructures if they so choose. The ownership of these DNS properties is fiat -- that is, their only ownership legitimacy is in who agrees to use them.

Most of the Internet agreed a long time ago that we would use the US version of these properties because they had historically been doing a pretty good job. However, it hasn't all been roses and Canada has even withdrawn from ICANN and withheld funds in protest in the past due to some very questionable decision making. We've always been secure in the knowledge that we could revisit that US root decision later. This 'revisiting decision' is one of exploring alternative roots and when I recently ran for CIRA I proposed that CIRA begin to develop the infrastructure needed to deploy an alternative root, and run a public resolver service. Its policy I still believe CIRA should adopt and act upon.

Now, like the Nuclear Deterrent debate, some will argue this is dangerous. What happens if we were to actually employ an alt-root? It could, if operated cavalierly, damage the Internet in some serious ways and I don't think anyone wants to see a fractured DNS. But with that said, I think that an alt-root at CIRA is extremely important as a censorship deterrent and in a worst-case scenario where the US passes laws that effect policy in Canada, then it is an important facility for enforcing our net sovereignty. Certainly today it could be used to restore questionably seized domains like for Canadians.

So what does that have to do with Dan Kaminski, DNSSEC and DV (Domain Validation)? Well, first, the CA system today largely relies on DNS to prove ownership of a domain name. Certificate Authorities (CA's) generally send an email to the administrative contact of a domain name (found via the whois system) or require a DNS record with a verification code to be created for the domain. However, this validation activity is done from the network perspective of the certification authority. If the DNS system in their country says Joe Smith owns, then they can issue a certificate for Joe Smith as the rightful owner of That said, I'm not aware of any nation operating an official alt-root or of any CA's relying on it, however, its a capability purposefully built into the system.

Enter DNSSEC. DNSSEC is an attempt to secure the DNS system by creating a chain of validation starting at the browser or OS's 'stub resolver' and a "root trust anchor". If the resolver's end-users are using the US root as the trust anchor, then the ability to just create an alt-root is destroyed. You could launch one, but the majority of users software would see the DNS chain as damaged and connections to sites would fail. It would be chaos. Questions abound over the root-trust-anchor and this is one of the key reasons why no major browser or OS is validating DNSSEC today -- deciding on the root trust anchor model is a hugely political decision and not one to be taken lightly.

It seems natural to ask if the trust anchor can come from the ISP? Unfortunately not, since that's precisely the layer that DNSSEC is most meant to prevent network interference within. Thus, as we move to singular-trust anchored DNSSEC we also move away from our sovereignty insurance plan.

The tying of DV to DNSSEC validated domains remains dubious though as the end-user may not trust his DNS hierarchy and results in a gap between who the DNS thinks is legitimately and the real Rojadirecta in spain. The user cannot really decide not to use this infrastructure as there are as-yet no dnssec-operating alt-roots.

Enter TACK, Convergence, Moxie Marlinspike and what I think is the future of trust authentication. TACK, (Tethered Assertions for Certificate Keys) takes a more realistic view of the trust authentication world. It doesn't care what the DNS thinks, and allows the site operator, once introduced, to define a list of trusted authorities. The next time you visit, if the domain is disabled by the registry, you can simply add it back to your hosts file and continue to enjoy a secure experience as normal. It maintains the status quo separation of DNS, networking and trust assertions. It means that no matter who operates the DNS (or who filters it), you can always be secure in knowing you're talking to the same that you talked to yesterday, which is not the case with in-DNS certificates.

In the end, DNSSEC is an extremely valuable technology for securing DNS information provision, but I do not believe it can function as a CA facility given the varying network perspectives, lack of trust within the DNS system, and with the need for a legitimate alt-root option. Whats your take?