[4270] in cryptography@c2.net mail archive
high availability domains, dns, eternity
daemon@ATHENA.MIT.EDU (Adam Back)
Wed Mar 3 19:36:07 1999
Date: Wed, 3 Mar 1999 22:03:10 GMT
From: Adam Back <aba@dcs.ex.ac.uk>
To: cypherpunks@cyberpass.net
Cc: cryptography@c2.net
Cc: eternity@internexus.net
If we take the goal of information availability as defined by Anderson
in his eternity paper [1] one of the sub-goals should be the
resistance of the domain or URL to attack.
The aim of the attacker is to reduce the availability of the
information the publisher wishes to make permanently available. The
attackers in the scenario Anderson discusses are governments and high
resource attackers such as large corporations.
An attacker managing to effect the revocation (by any available
technical, legal or extra-legal means) of the URL or domain reduces
the availability of the information.
Domain systems like Goldberg and Wagner's TAZ, and the hash based name
system I proposed some time ago for my prototype USENET based eternity
[2], try to address issues such as this.
I think it would be useful to try to design systems which interface
with the existing DNS system, but try to be much more resilient to
political attack than the existing system.
Space should be made within the DNS system for domains which are not
only declared explicitly first come first served as the .to (Tonga,
out of a US embassy) domains are, but which are designed to be
resistant to such attacks should governments make attempts to revoke
selected domains.
So, with this motivation, here is a simple candidate design:
A domain consists of the tuple of (domain, ip, pk, sig), where pk is
the public key used to authenticate the binding between domain name
and ip address, sk is the private half of the key retained by domain
name owner, and sig is a signature made by sk on the authenticated
data, the tuple (domain, ip, pk).
There are one or more a root domain servers which delegate domain
managment to second level domains. Second level domains delegate to
third level servers etc.
The property we want to provide is that once a tuple (domain, ip, pk,
sig) has been published, it is not possible for the servers to at a
later date change or remove the tuple without obtaining permission (a
fresh signature) from the owner of the private key sk.
To achieve this we use hash tress on the domain servers to publish a
master hash for each domain server, which is mirrored extensively by
servers and optionally DNS clients, and perhaps published in
newspapers, the Global Internet Trust Register [3], etc periodically..
Each domain servers hash is computed over it's previous server hash,
all current domain tuples, and the server hashes of any delegated
sub-domains.
We can define an integrity verification protocol where a third party
can verify that a given server has accepted only owner authenticated
changes. The integrity verification protocol is that each DNS server
must present on demand the current server hash, plus a set of domain
entry changes since the requesters chosen previous server hash, to
enable the requester to verify that no non-owner authenticated changes
have taken place.
The Domain Name resolution protocol proceeds is as normal with the
exception that if a DNS server finds that a given server has
invalidated it's server hash and become a rogue server (by performing
domain updates or deletions without a valid signature from the domain
owner) it should use other alternate domain servers at the same level
in preference.
Alternate resolution process
More complex name resolution protocol and integrity verification
protocols which continue to make use of rogue servers could be
designed as follows. If we work under the less optimistic presumption
that rogue servers will exist, and that other servers will be forced
to still use the lookup services of the rogue server due to lack of
independent mirrors. In this scenario the rogue server will chose
some technical mechanism to embody it's rogue behaviour, it must
define an alternate hash tree function. It may for example locally
decree a signature from a chosen local court is considered valid as
well as domain owners.
DNS servers setup partial mirrors of rogue servers, which mirror only
the non-owner authenticated domains. The modified domain name
resolution protocol is to use partial mirrors before the main domain
server. The modified integrity verification protocol is to use the
rogue domains server hash to verify the integrity of the owner
authenticated subset of it's served names, and the partial mirrors to
verify the integrity of the rogue servers non-owner authenticated
served names.
There are some limitations to the above scheme: it adds the overhead
that the domain servers must store more information as they need to
store some historic data. It may be that periodically, agreed
globally verified server hashes could be published and that historic
data before this could be purged.
A limitation is that the system relies upon ad-hoc delegation of
partial mirrors.
The system as proposed above does not defined a integrity verification
protocol for individual domain requests. If a DNS client makes a
request for a domain that it has not used before, the server could lie
to it.
If a DNS client makes a request for a domain that it has used before,
it could cache or store the domain / public key binding and detect
rogue domain updates.
Adam
[1] `The Eternity Service', Ross Anderson,
http://www.cl.cam.ac.uk/users/rja14/eternity/eternity.html
[2] Eternity Server, Adam Back,
http://www.dcs.ex.ac.uk/~aba/eternity/announce.txt
http://www.dcs.ex.ac.uk/~aba/eternity/
[3] The Global Internet Trust Register
http://www.cl.cam.ac.uk/Research/Security/Trust-Register/
