IETF Logo Mail Archive

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Thu, 25 February 2010 02:07 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A499628C2BB for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 18:07:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.09
X-Spam-Level:
X-Spam-Status: No, score=-0.09 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZnrmEy1KV8nL for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 18:07:54 -0800 (PST)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by core3.amsl.com (Postfix) with SMTP id A3EAE28C2B9 for <ietf@ietf.org>; Wed, 24 Feb 2010 18:07:53 -0800 (PST)
Received: (qmail 63723 invoked from network); 25 Feb 2010 03:12:42 -0000
Received: from bmdk2146.bmobile.ne.jp (HELO necom830.hpcl.titech.ac.jp) (203.180.16.146) by necom830.hpcl.titech.ac.jp with SMTP; 25 Feb 2010 03:12:42 -0000
Message-ID: <4B85DBCA.2060407@necom830.hpcl.titech.ac.jp>
Date: Thu, 25 Feb 2010 11:09:14 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Subject: Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <ABE739C5ADAC9A41ACCC72DF366B719D02C29D87@GLKMS2100.GREENLNK.NET> <a123a5d61002240700i4a68367tf901b91265f79da1@mail.gmail.com> <1267039830.9710.11106.camel@shane-asus-laptop> <alpine.LSU.2.00.1002242049510.16971@hermes-2.csi.cam.ac.uk> <p06240819c7ab46c7fbf9@10.20.30.158> <4B859F15.9080106@acm.org> <4B85B7E5.1000104@necom830.hpcl.titech.ac.jp> <201002242347.o1ONlt7L023898@drugs.dv.isc.org> <4B85BF52.7030004@necom830.hpcl.titech.ac.jp> <c331d99a1002241619y47f91f50g4433a7233350dc74@mail.gmail.com>
In-Reply-To: <c331d99a1002241619y47f91f50g4433a7233350dc74@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 02:07:54 -0000

Nikos Mavrogiannopoulos wrote:

> Not really. I Don't know what you mean by simple nonce, but as I
> understand dnscurve if implemented properly would have ssh-style
> authentication.

Ssh without secure public key distribution mechanism is not really
secure cryptographically.

In general, public key cryptography is scure only if public key
distribution is secure.

For example, DNSSEC is not really secure because key distribution
through trusted third parties is not really trustable.

> Only the first request of the server key is vulnerable
> with mitm.

So, we agree that DNSCurve is valunerable to MitM attacks.

> Then it should be cached.

As it is cached, a successful attack on the first request, which
is easy if you can snoop packets, is more than enough.

It invalidate all the legitimate replies and validate all the
forged replies.

If you can't snoop packets, long message ID is just secure.

						Masataka Ohta

v2.23.0 | Report a Bug | By Email