IETF Logo Mail Archive

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

Joe Baptista <baptista@publicroot.org> Mon, 01 March 2010 16:35 UTC

Return-Path: <publicroot.info@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5562A3A8B8B for <ietf@core3.amsl.com>; Mon, 1 Mar 2010 08:35:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.343
X-Spam-Level:
X-Spam-Status: No, score=-0.343 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, FRT_EXPERIENCE=2.333, GB_I_INVITATION=-2, HTML_MESSAGE=0.001, J_CHICKENPOX_36=0.6, SARE_BIZOP=0.7]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J1ZoL1i0ov-d for <ietf@core3.amsl.com>; Mon, 1 Mar 2010 08:35:19 -0800 (PST)
Received: from mail-fx0-f213.google.com (mail-fx0-f213.google.com [209.85.220.213]) by core3.amsl.com (Postfix) with ESMTP id 8011B3A8B89 for <ietf@ietf.org>; Mon, 1 Mar 2010 08:34:57 -0800 (PST)
Received: by fxm5 with SMTP id 5so2513742fxm.29 for <ietf@ietf.org>; Mon, 01 Mar 2010 08:34:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=pcEnv+zNLJ055r1vEQvtfHA2S46aXPFwf7ap0juwuJw=; b=scYid53uYzJ4piMBmHXlTELIeW2/HVAJ/uLsCLjGDsFM/H1YdUM9QZ65mUiSdwa6Pj iOF2HNVVnOvHv/IAvOLUd1wdF3L4Vu4ZRzXlJNHksEEbKNQfu9Z8ue6AiM88KTpEJ7HZ cVZWUW9uHg/3tuvtS7iHLY8CrP+EZ34V7oq+Q=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=vpVA7xGd/aQZwGjF0ph/4pY5bs3+Yx5OkEyJUHjgaMaVnA2VAnEE/q1sPGZAu+5wMR 7cefJgX+U87bq6Pahh1wqKHfJnyYk/OPa+xRyzXVQwY9p3ILczR4Qr/PEM0ymlhjV5pJ mt4JvdJFGMi5eMT6EOG5+ndyLECvuRiPnEceQ=
MIME-Version: 1.0
Sender: publicroot.info@gmail.com
Received: by 10.223.15.148 with SMTP id k20mr5259862faa.67.1267461293605; Mon, 01 Mar 2010 08:34:53 -0800 (PST)
In-Reply-To: <a123a5d61002251201k10b5305ai3aa226fc6b84a793@mail.gmail.com>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <201002242347.o1ONlt7L023898@drugs.dv.isc.org> <4B85BF52.7030004@necom830.hpcl.titech.ac.jp> <c331d99a1002241619y47f91f50g4433a7233350dc74@mail.gmail.com> <4B85DBCA.2060407@necom830.hpcl.titech.ac.jp> <4B862D03.7060602@gnutls.org> <4B863571.40604@necom830.hpcl.titech.ac.jp> <a123a5d61002250614h36c51a42xebb54c3cc340829d@mail.gmail.com> <alpine.LFD.1.10.1002251151010.1697@newtla.xelerance.com> <a123a5d61002251201k10b5305ai3aa226fc6b84a793@mail.gmail.com>
Date: Mon, 01 Mar 2010 11:34:53 -0500
X-Google-Sender-Auth: 60ab5fb32e2a63aa
Message-ID: <874c02a21003010834o49531071p29f4492cd149c1e7@mail.gmail.com>
Subject: Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
From: Joe Baptista <baptista@publicroot.org>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: multipart/alternative; boundary="00151747373a2c05830480bfd496"
Cc: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, Paul Hoffman <paul.hoffman@vpnc.org>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2010 16:35:21 -0000

I just want to remind everyone that a DNScurve draft is on the table.

http://tools.ietf.org/html/draft-dempsky-dnscurve-01

There is an urgent need to solve the DNS security issues within a reasonable
period of time.

Please remember the Kaminsky dns bug did not identify a security problem
with the DNS but the UDP transport. DNScurve fixes the problem today without
having to spend 15 more years getting it right.

And it does not cost a fortune to implement. DNSSEC is more of a make work
project then it is a solution. And DNSSEC does not solve the UDP issue. And
that is the problem DNScurve fixes NOW.

If there is any common sense left at the IETF. And I think there are sparks
here and there. Then I strongly recommend IETF members get DNScurve
established as RFC. We need leadership - not more DNSSEC blah blah blah.

Together let's exercise some common sense and support
draft-dempsky-dnscurve-01.

regards
joe baptista

On Thu, Feb 25, 2010 at 3:01 PM, Phillip Hallam-Baker <hallam@gmail.com>wrote:

> Who are these 'security researchers' of whom you speak? I am a
> principal in the security field, if you want to contradict me then you
> should either say that something is your personal opinion or you
> should specify the other parties you are referring to.
>
> The reason that I want to see what the key registration process is
> going to look like is precisely because the validation process
> matters. It is the reason that I sent out the invitations to the
> original meeting that started the process that created EV
> certificates.
>
> Moving to DNSSEC, regardless of the technical model does not eliminate
> the need for certificates or CAs. The purpose of EV certificates is to
> re-establish the principle of accountability.
>
> You can design a PKI to meet many different needs. Identity is one
> purpose, but not a very useful one. Which is the real reason that
> identity systems are so hard to deploy. If you want security from a
> PKI you will do better with a validation system that provides
> accountability.
>
> I use words very carefully. I know that you can use SSH keys protected
> by DNSSEC. But at the moment there is not a complete proposal for a
> Secure DNS system. Key parts of that system are being left to chance
> and that is why the prospects for an alternative system are much
> better than you imagine.
>
>
> On Thu, Feb 25, 2010 at 11:55 AM, Paul Wouters <paul@xelerance.com> wrote:
> > On Thu, 25 Feb 2010, Phillip Hallam-Baker wrote:
> >
> >> But SSH would be much better if we could integrate the key
> >> distribution into a secured DNS.
> >
> > See previous post. Already done and running.
> >
> >> And self-signed SSL certs would be
> >> better if we could use hash values distributed through a secured DNS
> >> to verify them.
> >
> > Yes. The CERT/CERTQ record is still a bit of a problem and needs some
> > work.
> >
> >> If DNSSEC succeeds, the domain validated certificate business will
> >> have to either transform or eventually die. I think that for most CAs,
> >> the business opportunities from SSL+DNSSEC are greater than the
> >> opportunities from the current DV SSL business. DNSSEC cannot deploy
> >> unless the registrars have cryptography expperience, the CAs have that
> >> experience.
> >
> > If you ask security researchers, it has been proven that CA's sacrificed
> > security for profitability. The CA model has failed to work. 2 second
> > validation based on email, md5 based * root certificates signed, etc etc.
> > The last two years saw a significant amount of attacks against CA's, and
> > CA's have seen their profit margin fall to near zero, so even if they
> > wanted to, they cannot increase security (you ask me a confirmation for
> > my cert, I'll go to this other ssl provider that doesn't).
> >
> > CERT's in DNS(SEC) put the responsibility of the cert within the domain
> of
> > the customer. If they care, they can do their security. The time of
> > outsourcing security to CA's is over.
> >
> > Paul
> >
>
>
>
> --
> --
> New Website: http://hallambaker.com/
> View Quantum of Stupid podcasts, Tuesday and Thursday each week,
> http://quantumofstupid.com/
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
>

v2.23.0 | Report a Bug | By Email