The Canadian Who Holds the Key To the Internet

drbutts writes "The Toronto Star has an interesting story on how they are securing DNS: 'It's housed in two high-security facilities separated by the North American landmass. The one authenticated map of the Internet. Were it to be lost — either through a catastrophic physical or cyber attack — it could be recreated by seven individuals spread around the globe. One of them is Ottawa's Norm Ritchie. Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions). In essence, these seven can rebuild the architecture that allows users to know for certain where they are and where they are going when navigating the Web."

Really two different halves

[XanC]

The story I read said that any four of these seven must get together at one of these bases. That seems to indicate that each one has half of the key. Two of them, if they were the right two, could do it. But having four out of seven guarantees that you have at least one copy of both halves.

You might want to look up Dan Kaminsky

[gearloos]

I just heard a pretty good talk on DNSSEC at Blackhat and it wasn't quite like this... I'll leave it at that.

Re:Really two different halves

[crossmr]

if their Internet services stopped working

This wouldn't happen.
While Domain name resolution would stop working, if there was some kind of emergency situation, lists could be published of ip addresses for each site.
Domain name resolution is convenient it isn't required for operation.
The government of the country in question could also fire up their own DNS system and publicly publish the address for it so that citizens could use it.

Re:Not good

[hitmark]

that is a feature of IP, not a feature of DNS. The article is about DNS, or more specifically, about DNSSEC.

very few today use straight up IP addresses to access a service (heck, a lot of services are potentially housed under a single IP, but you get the one you want thanks to the browser telling the server what domain name you entered), and DNSSEC puts a extra layer of verification that you get the correct IP when you enter a domain name.

You couldn't just find everyone?

[Toad-san]

Perhaps I don't have a grasp on how the Internet, TCP/IP, etc. work.

But it seems to me, if you turned loose a spider that wandered around (from 000.000.0000 to 999.999.9999) and queried EVERY IP out there ... wouldn't you end up with a complete structure of which IPs were active, which were not, and some sort of identification for each and every one of them? And what was connected to what (to rebuild routing tables. Especially if the IP host actually responded with some sort of ID?

For that matter, that identification could be done after the fact, ne? "Dude, if you're an active IP, send an email to this site with your IP and this completed DNS form. You won't be on the active list until you do."

Bidda boom, bidda bing.

Besides, this is just a plain old database anyway, isn't it? Just back up the damned thing.