Verisign’s Patent Application for the Transfer of DNSSEC Domains could be a serious blow to the freedom of the internet.

DNSSEC is a strategy to prevent the compromising of DNS records by having DNS information digitally signed. DNSSEC isan extension of the DNS system used to help prevent Man-in-the-Middle and cache-poisoning attacks that unsigned DNS systems are vulnerable to.

DNSSEC is not new, it is defined in RFC 4033, RFC 4034, and RFC 4035 which were released on 2005. And Verisign has been a very big part of this development, but until now their only commercial advantage has been the fact that they are a Certification Authority and sell their ability to sign Digital Certificates – along with other trusted Certificate Authorities. The way I see it is that if Verisign are granted this patent, it would mean that Verisign has the monopoly on signing the Digital Certificates that can be used in the DNSSEC system.

Now I have to admit that reading patent applications is not my greatest strength, but it seems their argument is that the chain of validation across the DNS system can only be guaranteed if there is a common Certificate Authority. Here is the Abstract of the patent application:

Systems and methods of transferring a DNSSEC enabled domain from a losing hosting provider to a gaining hosting provider are described in which the transfer of the domain may be achieved without disruption to a DNSSEC validation of the domain. Systems and methods, such as those directed to registry and/or registrar servers, may include transferring a DNSKEY or Delegation Signer (DS) record from a gaining hosting provider to a losing hosting provider prior to transferring the domain from the losing hosting provider to the gaining hosting provider. A gaining hosting provider may sign DNS records of the domain with the gaining hosting provider DNSKEY prior to transferring the domain from the losing hosting provider to the gaining hosting provider. Additionally, a registry server, or similar device, may be configured to act as an intermediary between the losing hosting provider and the gaining hosting provider during the transfer process.

Which to me is not much more than a brief description of DNSSEC. Paragraph 12 presents the picture:

Although protocols have been developed for the deployment of DNSSEC, including the use of KSKs and ZSKs, there are numerous aspects of operating DNSSEC enabled domains, at the registrar and registry levels, that have mot been addresses and/or optimized for large scale use. Accordingly, there are ongoing needs to further improve the functionality and/or efficiency of operations related to DNSSEC management.

The patent makes 32 claims of such improvements – and to be honest, I don’t understand DNSSEC well enough to judge just how radical these claims are, I’d be happy for someone else to do that analysis – or if they find such an analysis – please post a comment.

[Update: Alexander Gurvitz has done a great comparison between summary of the process Verisign “invented”, as it is described in the patent application, and the process as it is described in the “Changing DNS Operators for DNSSEC signed Zones” IETF draft]

The end of the FREE Internet?

Perhaps the greatest significance of this event is not that Verisign may gain control of the DNSSEC system, but that a fundamental future piece of the the Internet has been proposed (some might say hijacked) by way of a patent rather than a common standards body like the IETF, ITU or IEEE.  Is this the way of the future? There are proponents who suggest that patents are the only way we can truly protect the Internet from unscrupulous hackers.  They may be right – and this little patent application may well be the beginning of the New Proprietary Internet!