Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

David Conrad <drc@virtualized.org> Mon, 01 March 2010 17:16 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E39FD28C3E5 for <ietf@core3.amsl.com>; Mon, 1 Mar 2010 09:16:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r6N+jFOn8Z0E for <ietf@core3.amsl.com>; Mon, 1 Mar 2010 09:16:50 -0800 (PST)
Received: from virtualized.org (trantor.virtualized.org [204.152.189.190]) by core3.amsl.com (Postfix) with ESMTP id 0938328C10C for <ietf@ietf.org>; Mon, 1 Mar 2010 09:16:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by virtualized.org (Postfix) with ESMTP id 52A58ADCF92; Mon, 1 Mar 2010 09:16:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at virtualized.org
Received: from virtualized.org ([127.0.0.1]) by localhost (trantor.virtualized.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PhaXR4l+RCnC; Mon, 1 Mar 2010 09:16:48 -0800 (PST)
Received: from [10.96.18.220] (wlan39-020.mdr.icann.org [192.0.39.20]) by virtualized.org (Postfix) with ESMTP id 07C78ADCF87; Mon, 1 Mar 2010 09:16:48 -0800 (PST)
Subject: Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: David Conrad <drc@virtualized.org>
In-Reply-To: <874c02a21003010834o49531071p29f4492cd149c1e7@mail.gmail.com>
Date: Mon, 01 Mar 2010 09:16:17 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <1A8B2E99-230A-4995-BD9B-0CF754A86289@virtualized.org>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <201002242347.o1ONlt7L023898@drugs.dv.isc.org> <4B85BF52.7030004@necom830.hpcl.titech.ac.jp> <c331d99a1002241619y47f91f50g4433a7233350dc74@mail.gmail.com> <4B85DBCA.2060407@necom830.hpcl.titech.ac.jp> <4B862D03.7060602@gnutls.org> <4B863571.40604@necom830.hpcl.titech.ac.jp> <a123a5d61002250614h36c51a42xebb54c3cc340829d@mail.gmail.com> <alpine.LFD.1.10.1002251151010.1697@newtla.xelerance.com> <a123a5d61002251201k10b5305ai3aa226fc6b84a793@mail.gmail.com> <874c02a21003010834o49531071p29f4492cd149c1e7@mail.gmail.com>
To: Joe Baptista <baptista@publicroot.org>
X-Mailer: Apple Mail (2.1077)
Cc: IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2010 17:16:51 -0000

On Mar 1, 2010, at 8:34 AM, Joe Baptista wrote:
> Please remember the Kaminsky dns bug did not identify a security problem with the DNS but the UDP transport.

The problem Dan Kaminsky exploited is a known weakness in the DNS protocol, specifically that a 16-bit identifier space is too small. 

> DNScurve fixes the problem today without having to spend 15 more years getting it right.

Not really.  Ignoring for the moment that there is a limited amount of deployed software that supports DNScurve, DNScurve addresses the DNS protocol problem by protecting the channel of communication. It doesn't actually protect DNS data.

> And it does not cost a fortune to implement.

How much did it cost you to implement DNScurve?  DId you make your code open source or otherwise available?

> And DNSSEC does not solve the UDP issue.

Actually, DNSSEC does address the DNS protocol issue by ensuring any modification to DNS data can be identified.  In the DNSSEC world, it no longer matters how you get the DNS data or what channel the data comes over or how secure that channel is.  The same is not true of DNScurve.

> And that is the problem DNScurve fixes NOW.

DNSSEC is already deployed in 12 top-level domains and the root is in the process of being signed.  Multiple interoperable implementations of DNSSEC exist in production software.

> Together let's exercise some common sense and support draft-dempsky-dnscurve-01.

As has been pointed out on several occasions, DNSSEC and DNScurve are not mutually exclusive.  Of course, if you implement DNSSEC, the protections provided by DNScurve are superfluous (and the opposite isn't true), but that doesn't stop anyone from deploying both.

Regards,
-drc