IETF Logo Mail Archive

Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

bert hubert <bert.hubert@netherlabs.nl> Fri, 08 August 2008 08:58 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 75CCB3A6CB2; Fri, 8 Aug 2008 01:58:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.425
X-Spam-Level:
X-Spam-Status: No, score=0.425 tagged_above=-999 required=5 tests=[AWL=0.929, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTsxtg1-HAss; Fri, 8 Aug 2008 01:58:33 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 753323A6C89; Fri, 8 Aug 2008 01:58:33 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRNjw-0007bi-Gv for namedroppers-data@psg.com; Fri, 08 Aug 2008 08:54:28 +0000
Received: from [2001:888:10:36::2] (helo=adsl-xs4all.ds9a.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ahu@outpost.ds9a.nl>) id 1KRNjo-0007al-B3 for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 08:54:24 +0000
Received: from outpost.ds9a.nl ([85.17.220.215] ident=postfix) by adsl-xs4all.ds9a.nl with esmtp (Exim 4.63) (envelope-from <ahu@outpost.ds9a.nl>) id 1KRNjl-00083E-5S for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 10:54:17 +0200
Received: by outpost.ds9a.nl (Postfix, from userid 1000) id EE77E4B44D; Fri, 8 Aug 2008 10:54:30 +0200 (CEST)
Date: Fri, 08 Aug 2008 10:54:30 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: sthaug@nethelp.no
Cc: duane@e164.org, denic@eng.colt.net, namedroppers@ops.ietf.org
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
Message-ID: <20080808085430.GC6566@outpost.ds9a.nl>
References: <489BF4C8.9000309@e164.org> <B786FB32-89AB-412E-A502-1CEB9A404041@eng.colt.net> <489C0370.4080502@e164.org> <20080808.104957.74720707.sthaug@nethelp.no>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20080808.104957.74720707.sthaug@nethelp.no>
User-Agent: Mutt/1.5.9i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On Fri, Aug 08, 2008 at 10:49:57AM +0200, sthaug@nethelp.no wrote:

> probability of spoofing - but as has been pointed out many times here,
> this is not a *solution*. It mitigates the problem, it doesn't solve
> it.

Mitigation to the point where it will take a million years is effectively a
solution against spoofing.

People with sufficiently powerful computers could also break DNSSEC
security. 

This is equally likely to take a million years, although I haven't studied
the effective keylenghts that fit in DNS.

I'll repeat the mantra that DNSSEC protects against more than spoofing.

	Bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email