IETF Logo Mail Archive

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 24 February 2010 18:34 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2FFFF28C15C for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 10:34:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.99
X-Spam-Level:
X-Spam-Status: No, score=-5.99 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aWGNoWtmaIQ9 for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 10:34:42 -0800 (PST)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id 64AEA3A8555 for <ietf@ietf.org>; Wed, 24 Feb 2010 10:34:42 -0800 (PST)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id o1OIRm4T075100 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 24 Feb 2010 11:27:50 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624080ec7ab1f650ef1@[10.20.30.158]>
In-Reply-To: <alpine.LSU.2.00.1002241754550.16971@hermes-2.csi.cam.ac.uk>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <ABE739C5ADAC9A41ACCC72DF366B719D02C29D87@GLKMS2100.GREENLNK.NET> <a123a5d61002240700i4a68367tf901b91265f79da1@mail.gmail.com> <alpine.LSU.2.00.1002241754550.16971@hermes-2.csi.cam.ac.uk>
Date: Wed, 24 Feb 2010 10:27:47 -0800
To: Tony Finch <dot@dotat.at>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Content-Type: text/plain; charset="us-ascii"
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2010 18:34:43 -0000

At 6:04 PM +0000 2/24/10, Tony Finch wrote:
>On Wed, 24 Feb 2010, Phillip Hallam-Baker wrote:
>
>> I took a look at DNSCurve. Some points:
>>
>> * It could certainly win.
>
>It has a LOT of catching up to do. DNScurve has no publicly available
>implementations. DNSSEC will be deployed in the most important zones by
>the end of this year.

DNSCurve also assumes that authoritative name servers are willing to do orders of magnitude more calculations per second, all the time, than DNSSEC requires of them. That is, cryptographic calculations are needed for every response. Placing that burden on the DNS may or may not be acceptable to current operators. It may or may not also lead to less stability.

> > * It considers real world requirements that DNSSEC does not.
>
>DNScurve ignores algorithm agility and patent problems.

How does it ignore patent problems? ECDSA and DNSCurve have the same patent exposure.

--Paul Hoffman, Director
--VPN Consortium

v2.23.0 | Report a Bug | By Email