If we take the goal of information availability as defined by Anderson in his eternity paper [1] one of the sub-goals should be the resistance of the domain or URL to attack. The aim of the attacker is to reduce the availability of the information the publisher wishes to make permanently available. The attackers in the scenario Anderson discusses are governments and high resource attackers such as large corporations. An attacker managing to effect the revocation (by any available technical, legal or extra-legal means) of the URL or domain reduces the availability of the information. Domain systems like Goldberg and Wagner's TAZ, and the hash based name system I proposed some time ago for my prototype USENET based eternity [2], try to address issues such as this. I think it would be useful to try to design systems which interface with the existing DNS system, but try to be much more resilient to political attack than the existing system. Space should be made within the DNS system for domains which are not only declared explicitly first come first served as the .to (Tonga, out of a US embassy) domains are, but which are designed to be resistant to such attacks should governments make attempts to revoke selected domains. So, with this motivation, here is a simple candidate design: A domain consists of the tuple of (domain, ip, pk, sig), where pk is the public key used to authenticate the binding between domain name and ip address, sk is the private half of the key retained by domain name owner, and sig is a signature made by sk on the authenticated data, the tuple (domain, ip, pk). There are one or more a root domain servers which delegate domain managment to second level domains. Second level domains delegate to third level servers etc. The property we want to provide is that once a tuple (domain, ip, pk, sig) has been published, it is not possible for the servers to at a later date change or remove the tuple without obtaining permission (a fresh signature) from the owner of the private key sk. To achieve this we use hash tress on the domain servers to publish a master hash for each domain server, which is mirrored extensively by servers and optionally DNS clients, and perhaps published in newspapers, the Global Internet Trust Register [3], etc periodically.. Each domain servers hash is computed over it's previous server hash, all current domain tuples, and the server hashes of any delegated sub-domains. We can define an integrity verification protocol where a third party can verify that a given server has accepted only owner authenticated changes. The integrity verification protocol is that each DNS server must present on demand the current server hash, plus a set of domain entry changes since the requesters chosen previous server hash, to enable the requester to verify that no non-owner authenticated changes have taken place. The Domain Name resolution protocol proceeds is as normal with the exception that if a DNS server finds that a given server has invalidated it's server hash and become a rogue server (by performing domain updates or deletions without a valid signature from the domain owner) it should use other alternate domain servers at the same level in preference. Alternate resolution process More complex name resolution protocol and integrity verification protocols which continue to make use of rogue servers could be designed as follows. If we work under the less optimistic presumption that rogue servers will exist, and that other servers will be forced to still use the lookup services of the rogue server due to lack of independent mirrors. In this scenario the rogue server will chose some technical mechanism to embody it's rogue behaviour, it must define an alternate hash tree function. It may for example locally decree a signature from a chosen local court is considered valid as well as domain owners. DNS servers setup partial mirrors of rogue servers, which mirror only the non-owner authenticated domains. The modified domain name resolution protocol is to use partial mirrors before the main domain server. The modified integrity verification protocol is to use the rogue domains server hash to verify the integrity of the owner authenticated subset of it's served names, and the partial mirrors to verify the integrity of the rogue servers non-owner authenticated served names. There are some limitations to the above scheme: it adds the overhead that the domain servers must store more information as they need to store some historic data. It may be that periodically, agreed globally verified server hashes could be published and that historic data before this could be purged. A limitation is that the system relies upon ad-hoc delegation of partial mirrors. The system as proposed above does not defined a integrity verification protocol for individual domain requests. If a DNS client makes a request for a domain that it has not used before, the server could lie to it. If a DNS client makes a request for a domain that it has used before, it could cache or store the domain / public key binding and detect rogue domain updates. Adam [1] `The Eternity Service', Ross Anderson, http://www.cl.cam.ac.uk/users/rja14/eternity/eternity.html [2] Eternity Server, Adam Back, http://www.dcs.ex.ac.uk/~aba/eternity/announce.txt http://www.dcs.ex.ac.uk/~aba/eternity/ [3] The Global Internet Trust Register http://www.cl.cam.ac.uk/Research/Security/Trust-Register/
