14 DNS Nerds Don't Control The Internet


You’re reading this page because you’ve suggested that “14 people control the Internet through the DNSSEC root keys”. If you’re unlucky, you might be a journalist preparing a story about those people. Stop!

DNSSEC doesn’t do anything. Dramatic ceremonies notwithstanding, if the secret DNSSEC keys leaked on Pastebin tomorrow, it’s unlikely that anything would break.

Practically all commerce on the Internet happens without DNSSEC. Web browsers don’t support it. or DANE, the DNSSEC-based replacement for certificate authorities. Most DNS domains don’t either. If you log in to your online banking and wire money to Transnistria, no DNSSEC will happen.

Maybe you have a source suggesting otherwise. Ask them to be specific. For instance: of the 5 largest US banks, which of them are enrolled in DNSSEC? After reading this, I’ll bet you can guess the answer. Are the banks just stupid? No: they have some of the best security teams in the world, and they think DNSSEC is a bad idea.

Isn’t it a big deal that the Internet’s DNS lookups are protected? Nope. The architects of the web’s security protocols assumed that the DNS would be insecure. When technologists discuss “certificates” and “certificate authorities”, (and “HSTS” and “HPKP” and I can go on but I won’t) they’re talking about cryptography built to work around the insecure DNS. The Internet works fine without DNSSEC.

Of course, this pretty much has to be true. .COM didn’t support DNSSEC until Spring 2011. Global commerce migrated online many years before that. If DNSSEC is so important, how did this stuff work before 2011?

If DNSSEC is so pointless, why do people care about it so much?

A funny thing happened between 1994 and 2011, while the IETF worked furiously to design DNSSEC: we figured out how to secure the Internet without securing the DNS. The market moved faster than the standard, and the standard was left struggling for a reason to exist. Hundreds of people have invested their reputations in DNSSEC and are loathe to see it fail. That’s unfortunate. But it’s also one of the oldest stories in technology standards.

There’s a real story in DNSSEC, but it’s not a happy one. To justify DNSSEC, standards groups hatched a plan to move the web’s security certificates into the DNS. With a secure DNS, the logic went, we’d no longer need to pay certificate authorities for SSL certificates. This scheme is called DANE.

DANE gives the power to create security certificates to whoever controls the DNS. The cryptographic keys in those certificates are an obstacle to government-sponsored dragnet surveillance. With DANE, guess who controls the certificates? Had DANE been deployed while he was alive, Muammar Gadaffi would have controlled the keys for BIT.LY. For GOOGLE.COM and APPLE.COM, that’d be the United States Government.

DNSSEC is the world’s most ambitious key escrow scheme: a backdoor that hands over control of Internet cryptography to world governments. Thankfully, it’s also a total market failure. We should hope it stays that way.


You can read more ominous DNSSEC nerdery here.