Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Phillip Hallam-Baker <hallam@gmail.com> Thu, 25 February 2010 13:58 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A7FD428C0E6 for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 05:58:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.457
X-Spam-Level:
X-Spam-Status: No, score=-2.457 tagged_above=-999 required=5 tests=[AWL=0.142, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aG75baV+8ysS for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 05:58:40 -0800 (PST)
Received: from mail-iw0-f189.google.com (mail-iw0-f189.google.com [209.85.223.189]) by core3.amsl.com (Postfix) with ESMTP id 69A9928C16A for <ietf@ietf.org>; Thu, 25 Feb 2010 05:58:40 -0800 (PST)
Received: by iwn27 with SMTP id 27so5055376iwn.5 for <ietf@ietf.org>; Thu, 25 Feb 2010 06:00:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=2qZvVW7qkhiCDWuJaSD3od0pwIylaWCCfoRvPLILszE=; b=TZIZRr0MBUPBHS2NWGraD6W1qnx1LQSuHMQEB1Ee3w7CEEylX/VaXECeQnAqIXSk57 MojzF1FEqkE3BjBowGy7mCFkDH8CwIjv33MWNB+VZ/9BeXdzyJIeTUViOvQEudHAKVxI iZAiisR11j4Ej3QXAXqijApWkA6yG/XNHx66I=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=fOB/jNu/OvrRB9VXJ5bIbV2d6Mx0CB54nh+eCmQaCfPRuzri5R2F96El9YP3cVASug 99/RIoo3BoJmtiRd5skUjjmKUj8JnXefTyyrmS3Ft2qvz4PS8W1bRVzymajYNJdgvKv/ AZtEXtV6bAF9gKFbQc1oPdhbjZfsyDIf076x4=
MIME-Version: 1.0
Received: by 10.231.146.4 with SMTP id f4mr56797ibv.21.1267106448362; Thu, 25 Feb 2010 06:00:48 -0800 (PST)
In-Reply-To: <201002251330.o1PDUSjx020999@fs4113.wdf.sap.corp>
References: <a123a5d61002240700i4a68367tf901b91265f79da1@mail.gmail.com> <201002251330.o1PDUSjx020999@fs4113.wdf.sap.corp>
Date: Thu, 25 Feb 2010 09:00:48 -0500
Message-ID: <a123a5d61002250600l49bd13d0if20bcdc5ca408e75@mail.gmail.com>
Subject: Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
From: Phillip Hallam-Baker <hallam@gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Thu, 25 Feb 2010 08:17:25 -0800
Cc: Chris.Dearlove@baesystems.com, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 13:58:43 -0000
On Thu, Feb 25, 2010 at 8:30 AM, Martin Rex <mrex@sap.com> wrote: > Phillip Hallam-Baker wrote: >> >> I took a look at DNSCurve. Some points: >> >> * It could certainly win. >> * It is designed as a hack rather than an extension. >> * It considers real world requirements that DNSSEC does not. > > What does DNSCurve additionally provide > compared to a combination of traditional DNS with IPsec? They appear to have an interest in actually listening to real world requirements. The DNSSEC folk just tell us that every hard problem is 'out of scope'. If an issue is out of scope for the IETF and out of scope for ICANN, then who is going to address it? You cannot solve a problem by ruling it out of scope. Of course a combination of DNS and IPSec would be a better solution. But nobody has specified how to do it. DNS is a bootstrap protocol, you have to specify how the initial key exchange is achieved. Full IPSec assumes that each side maintains state per connection. That is a bad choice for DNS. You would want to adapt IPSec to use a Kerberos ticket like approach so that only the DNS client needs to maintain state. It is not that difficult for Vint Cerf and Steve Crocker to get Microsoft to put checkbox support for DNSSEC protocol into their product. Getting a feature added to a Linux distribution is even easier. But there is a huge difference between doing that and getting a commitment to support it. Defining the protocols is the easy part of PKI. The hard part is specifying the social interface that gives the PKI specific meaning. At the moment this is being left to DNS registrars, most of which have no idea what a CPS or a CP is and have no interest in finding out. -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/
- OpenDNS today announced it has adopted DNSCurve t… Joe Baptista
- RE: OpenDNS today announced it has adopted DNSCur… Dearlove, Christopher (UK)
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: OpenDNS today announced it has adopted DNSCur… tytso
- Re: OpenDNS today announced it has adopted DNSCur… Dave CROCKER
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Wes Hardaker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Steven M. Bellovin
- DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today a… Shane Kerr
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Marc Petit-Huguenin
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Andrew Sullivan
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Mark Andrews
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Basil Dolmatov
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Abley
- RE: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Hollenbeck, Scott
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Wassim Haddad
- PKIgate Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta