IETF Logo Mail Archive

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Paul Wouters <paul@xelerance.com> Thu, 25 February 2010 16:47 UTC

Return-Path: <paul@xelerance.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4C1A128C3BD for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 08:47:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.566
X-Spam-Level:
X-Spam-Status: No, score=-2.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EEwGMRiEW-xh for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 08:47:54 -0800 (PST)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by core3.amsl.com (Postfix) with ESMTP id 22BD228C3B7 for <ietf@ietf.org>; Thu, 25 Feb 2010 08:47:54 -0800 (PST)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) by newtla.xelerance.com (Postfix) with ESMTP id 718ECBC07; Thu, 25 Feb 2010 11:50:04 -0500 (EST)
Date: Thu, 25 Feb 2010 11:50:04 -0500
From: Paul Wouters <paul@xelerance.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Subject: Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
In-Reply-To: <a123a5d61002250600l49bd13d0if20bcdc5ca408e75@mail.gmail.com>
Message-ID: <alpine.LFD.1.10.1002251142420.1697@newtla.xelerance.com>
References: <a123a5d61002240700i4a68367tf901b91265f79da1@mail.gmail.com> <201002251330.o1PDUSjx020999@fs4113.wdf.sap.corp> <a123a5d61002250600l49bd13d0if20bcdc5ca408e75@mail.gmail.com>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 16:47:55 -0000

On Thu, 25 Feb 2010, Phillip Hallam-Baker wrote:

>> What does DNSCurve additionally provide
>> compared to a combination of traditional DNS with IPsec?
>
> They appear to have an interest in actually listening to real world
> requirements.

> Of course a combination of DNS and IPSec would be a better solution.

It would have the same flaw. You cannot expect to ask various DNS
servers in a row perfectly encrypted DNS data, then start an encrypted
browser session to 74.125.77.19, and expect people not to know you
just went to gmail.com. DNSCurve might have obfuscated some of your
queries, but any eavesdropping still knows exactly what DNS you looked
up and where you went to.

Once you realise encryption of DNS is not really possible, what is it
that DNSCurve offers that DNSSEC does not? Nothing. And previous postings
have illustrated the long list of shortcomings in DNSCurve over DNSSEC.

> It is not that difficult for Vint Cerf and Steve Crocker to get
> Microsoft to put checkbox support for DNSSEC protocol into their
> product. Getting a feature added to a Linux distribution is even
> easier. But there is a huge difference between doing that and getting
> a commitment to support it.

How many TLD's does it take for people to finally say DNSSEC is adopted?
See www.xelerance.com/dnssec/ for a google map.

> At the moment this is being left to DNS registrars, most of which have
> no idea what a CPS or a CP is and have no interest in finding out.

Many IETF people are active in the DNSSEC Coalition, a group of DNS experts
that is helping them solve that problem properly. The Registrars are not
"left to die". Far from it.

Paul

v2.23.0 | Report a Bug | By Email