IETF Logo Mail Archive

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

Basil Dolmatov <dol@cryptocom.ru> Thu, 25 February 2010 08:03 UTC

Return-Path: <dol@cryptocom.ru>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A37AD28C196 for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 00:03:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.129
X-Spam-Level:
X-Spam-Status: No, score=-1.129 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QORuU27X7MvD for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 00:03:37 -0800 (PST)
Received: from mx.cryptocom.ru (mx.cryptocom.ru [89.188.97.107]) by core3.amsl.com (Postfix) with ESMTP id CD6C128C0DF for <ietf@ietf.org>; Thu, 25 Feb 2010 00:03:36 -0800 (PST)
Received: from [10.51.22.241] (reedcat.lan.cryptocom.ru [10.51.22.241]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.cryptocom.ru (Postfix) with ESMTP id 5232546BE4; Thu, 25 Feb 2010 11:05:45 +0300 (MSK)
Message-ID: <4B862F58.1020401@cryptocom.ru>
Date: Thu, 25 Feb 2010 11:05:44 +0300
From: Basil Dolmatov <dol@cryptocom.ru>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: Paul Wouters <paul@xelerance.com>
Subject: Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <ABE739C5ADAC9A41ACCC72DF366B719D02C29D87@GLKMS2100.GREENLNK.NET> <a123a5d61002240700i4a68367tf901b91265f79da1@mail.gmail.com> <1267039830.9710.11106.camel@shane-asus-laptop> <alpine.LSU.2.00.1002242049510.16971@hermes-2.csi.cam.ac.uk> <alpine.LFD.1.10.1002241554540.18920@newtla.xelerance.com>
In-Reply-To: <alpine.LFD.1.10.1002241554540.18920@newtla.xelerance.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 08:03:37 -0000

Paul Wouters пишет:

>>> DNSSEC declares out of scope:
>>>       * the channel where DS records get added to the parent
>>
>> Is that actually out of scope or just not specified yet?
> 
> Out of scope. It is the bootstrap problem. Though with RFC-5011
It is much more than bootstrap problem.
> and perhaps draft-wijngaards-dnsop-trust-history-02 the above
> bullet might should probably read "were initial DS records get added"
> 
> Once you have established the first DS record, you should be able
> to rollover without losing the path of trust.
There are planned rollovers but also there are comprometations, NS 
authority changes, etc.

All of these things are normal in production environment and should be
treated with standard procedures.

And these procedures are out of scope of DNSSEC.

dol@
>

v2.23.0 | Report a Bug | By Email