Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

[Phillip Hallam-Baker <hallam@gmail.com>]

On Thu, Feb 25, 2010 at 8:30 AM, Martin Rex <mrex@sap.com> wrote:
> Phillip Hallam-Baker wrote:
>>
>> I took a look at DNSCurve. Some points:
>>
>> * It could certainly win.
>> * It is designed as a hack rather than an extension.
>> * It considers real world requirements that DNSSEC does not.
>
> What does DNSCurve additionally provide
> compared to a combination of traditional DNS with IPsec?

They appear to have an interest in actually listening to real world
requirements.

The DNSSEC folk just tell us that every hard problem is 'out of
scope'. If an issue is out of scope for the IETF and out of scope for
ICANN, then who is going to address it?

You cannot solve a problem by ruling it out of scope.

Of course a combination of DNS and IPSec would be a better solution.
But nobody has specified how to do it. DNS is a bootstrap protocol,
you have to specify how the initial key exchange is achieved. Full
IPSec assumes that each side maintains state per connection. That is a
bad choice for DNS. You would want to adapt IPSec to use a Kerberos
ticket like approach so that only the DNS client needs to maintain
state.


It is not that difficult for Vint Cerf and Steve Crocker to get
Microsoft to put checkbox support for DNSSEC protocol into their
product. Getting a feature added to a Linux distribution is even
easier. But there is a huge difference between doing that and getting
a commitment to support it.

Defining the protocols is the easy part of PKI. The hard part is
specifying the social interface that gives the PKI specific meaning.
At the moment this is being left to DNS registrars, most of which have
no idea what a CPS or a CP is and have no interest in finding out.


-- 
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/