IETF Logo Mail Archive

Re: DNSSEC is almost worthless!

Paul Vixie <paul@vix.com> Sun, 05 March 2006 19:17 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FFyjo-0003DK-TG for dnsext-archive@lists.ietf.org; Sun, 05 Mar 2006 14:17:52 -0500
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FFyjm-0007C2-Jr for dnsext-archive@lists.ietf.org; Sun, 05 Mar 2006 14:17:52 -0500
Received: from majordom by psg.com with local (Exim 4.60 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1FFyhr-00019j-TO for namedroppers-data@psg.com; Sun, 05 Mar 2006 19:15:51 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.1.0
Received: from [204.152.187.1] (helo=sa.vix.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.60 (FreeBSD)) (envelope-from <vixie@vix.com>) id 1FFyhr-00019V-CF for namedroppers@ops.ietf.org; Sun, 05 Mar 2006 19:15:51 +0000
Received: from sa.vix.com (localhost [127.0.0.1]) by sa.vix.com (Postfix) with ESMTP id 1397411425 for <namedroppers@ops.ietf.org>; Sun, 5 Mar 2006 19:15:51 +0000 (UTC) (envelope-from vixie@sa.vix.com)
From: Paul Vixie <paul@vix.com>
To: namedroppers@ops.ietf.org
Subject: Re: DNSSEC is almost worthless!
In-Reply-To: Your message of "Sun, 05 Mar 2006 11:58:17 EST." <440B18A9.4010407@connotech.com>
References: <440B18A9.4010407@connotech.com>
Date: Sun, 05 Mar 2006 19:15:51 +0000
Message-Id: <20060305191551.1397411425@sa.vix.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ffa9dfbbe7cc58b3fa6b8ae3e57b0aa3

# In addition, the end-to-end cryptographic assurance is perhaps justified
# mostly because there are too many nameservers operating with BIND version
# prior to 8.4 (these are vulnerable to the DNS cache poisoning attack).

no part of the justification of DNSSEC relates to poison-susceptible name
server implementations.  any cache can be poisoned, including modern BIND9
or DJBDNS with all known anti-poison features enabled.

# TAKREM for DNSSEC (draft-moreau-dnsext-sdda-rr-01.txt,
# draft-moreau-dnsext-takrem-dns-01.txt) is *both* rigorous *and*
# efficient. Efficiency would be beneficial to DNSSEC deployment if there was
# value in DNSSEC to justify its deployment in the first place. About TAKREM
# rigor, the above suggests that the intrinsic security properties of TAKREM
# might appear as *lowering* the value of DNSSEC for governments.

i believe that we'll be able to resolve trust anchor management without
subjecting ourselves to anyone's IPR claims.  the first step toward this
will be to ignore known-encumbered technology.  an eventual step will be
to try to avoid submarine IPR with field surveys.  the final step will be
to fight (in the market and/or in the courts) the IPR holders who will
claim overbroad coverage for their IPR.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email