DHS Wants DNSSEC keys

9 Apr 2007

You might not know what DNSSEC is. That’s fine, most people don’t know either. The basic idea is to implement a replacement for the horribly flawed security model of standard DNS while not breaking backward compatibility. That’s what DNSSEC is, in a nutshell. It works by using methods similar to the way that SSL key-signing authorities work, but just for DNSSEC DNS servers.

Well, the illustrious and all wise folks at the US Department of Homeland Security have apparently decided that they should have copies of the DNSSEC key-signing keys. Given that someone told them that these were the “cryptographic keys to the Internet,” it’s very understandable that they would drool over them.

I wonder how disappointed they’ll be if they succeed in commendiering a copy of the key-signing keys and then learn what they really are; merely the keys used to sign keys used by DNS servers which are authoritative for registered domains, and nothing more.

What’s next? Is DHS going to start demanding the key to every city, too?