IETF Logo Mail Archive

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Thu, 25 February 2010 00:06 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CBCA428C16B for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 16:06:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.815
X-Spam-Level:
X-Spam-Status: No, score=0.815 tagged_above=-999 required=5 tests=[AWL=0.906, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D1RijfybBRXI for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 16:06:25 -0800 (PST)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by core3.amsl.com (Postfix) with SMTP id BEC0928C125 for <ietf@ietf.org>; Wed, 24 Feb 2010 16:06:24 -0800 (PST)
Received: (qmail 56753 invoked from network); 25 Feb 2010 01:11:10 -0000
Received: from softbank219001188004.bbtec.net (HELO necom830.hpcl.titech.ac.jp) (219.1.188.4) by necom830.hpcl.titech.ac.jp with SMTP; 25 Feb 2010 01:11:10 -0000
Message-ID: <4B85BF52.7030004@necom830.hpcl.titech.ac.jp>
Date: Thu, 25 Feb 2010 09:07:46 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Mark Andrews <marka@isc.org>
Subject: Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <ABE739C5ADAC9A41ACCC72DF366B719D02C29D87@GLKMS2100.GREENLNK.NET> <a123a5d61002240700i4a68367tf901b91265f79da1@mail.gmail.com> <1267039830.9710.11106.camel@shane-asus-laptop> <alpine.LSU.2.00.1002242049510.16971@hermes-2.csi.cam.ac.uk> <p06240819c7ab46c7fbf9@[10.20.30.158]> <4B859F15.9080106@acm.org> <4B85B7E5.1000104@necom830.hpcl.titech.ac.jp> <201002242347.o1ONlt7L023898@drugs.dv.isc.org>
In-Reply-To: <201002242347.o1ONlt7L023898@drugs.dv.isc.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 00:06:25 -0000

Mark Andrews wrote:

>>>http://tools.ietf.org/html/draft-dempsky-dnscurve-00
>>
>>As I read the draft, it seems to me that DNSCurve without Curve
>>(that is, with 96 bit nonce of DNSCurve as an extended message
>>ID without elliptic curve cryptography) is secure enough.

> Except from players that can see the query.

That's not a new cryptographical problem.

As DNSCurve protection is like DH, it is subject to MitM attacks,
which is no different from simple nonce.

						Masataka Ohta

v2.23.0 | Report a Bug | By Email