Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
David Conrad <drc@virtualized.org> Thu, 25 February 2010 16:59 UTC
Return-Path: <drc@virtualized.org>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 78F1F28C3DA for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 08:59:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.239
X-Spam-Level:
X-Spam-Status: No, score=-6.239 tagged_above=-999 required=5 tests=[AWL=0.360, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Lj+hxa0EQlK for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 08:59:36 -0800 (PST)
Received: from virtualized.org (trantor.virtualized.org [204.152.189.190]) by core3.amsl.com (Postfix) with ESMTP id CE09D28C37B for <ietf@ietf.org>; Thu, 25 Feb 2010 08:59:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by virtualized.org (Postfix) with ESMTP id 25C22ACFC92; Thu, 25 Feb 2010 09:01:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at virtualized.org
Received: from virtualized.org ([127.0.0.1]) by localhost (trantor.virtualized.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZFkUWyoI5-WA; Thu, 25 Feb 2010 09:01:38 -0800 (PST)
Received: from [10.96.18.220] (wlan39-033.mdr.icann.org [192.0.39.33]) by virtualized.org (Postfix) with ESMTP id C5947ACFC83; Thu, 25 Feb 2010 09:01:37 -0800 (PST)
Subject: Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: David Conrad <drc@virtualized.org>
In-Reply-To: <alpine.LFD.1.10.1002251136250.1697@newtla.xelerance.com>
Date: Thu, 25 Feb 2010 09:01:08 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <D006A2A6-2CDE-4AEA-99DB-D8CFED59D7E3@virtualized.org>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <ABE739C5ADAC9A41ACCC72DF366B719D02C29D87@GLKMS2100.GREENLNK.NET> <sdzl2yvgru.fsf@wjh.hardakers.net> <874c02a21002240835u7cf4bf60y510cbbc870727852@mail.gmail.com> <20100224165011.GF5166@thunk.org> <a123a5d61002240944l3944a8acy804a1d819bf2cc3d@mail.gmail.com> <20100224142926.21d929c0@yellowstone.machshav.com> <a123a5d61002241239i16abd52cn5e8dda15a1dd55b0@mail.gmail.com> <alpine.LFD.1.10.1002251136250.1697@newtla.xelerance.com>
To: Paul Wouters <paul@xelerance.com>
X-Mailer: Apple Mail (2.1077)
Cc: Phillip Hallam-Baker <hallam@gmail.com>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 16:59:40 -0000
On Feb 25, 2010, at 8:41 AM, Paul Wouters wrote: > On Wed, 24 Feb 2010, Phillip Hallam-Baker wrote: >> I would like to see us create an assumption that a given machine will >> only use recursive resolution services from a specific trusted source. > > Trust no one. You have to trust someone. Really. > More and more devices will do their own DNSSE validation, > and just use caches to get the data. This must means those devices trust your their validator (and the operating system it is running on). Which is fine (and, in fact, what I'd argue is the right answer), but it means you have to figure out how to securely obtain and install the root trust anchor (or the TLD trust anchors or the DLV trust anchor). >> [Oh we are so not close to being done with deployment here. If turning >> on DNSSEC means the typical Web surfer cannot get their WiFi access at >> Panera without reconfiguring their machine then DNSSEC is stone cold >> dead.] You have to do this in many cases with non-DNSSEC DNS already. T-Mobile Hot Spot service, for example, requires you to use their DNS servers so you can't run your own validator. It really is quite annoying. Regards, -drc
- OpenDNS today announced it has adopted DNSCurve t… Joe Baptista
- RE: OpenDNS today announced it has adopted DNSCur… Dearlove, Christopher (UK)
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: OpenDNS today announced it has adopted DNSCur… tytso
- Re: OpenDNS today announced it has adopted DNSCur… Dave CROCKER
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Wes Hardaker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Steven M. Bellovin
- DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today a… Shane Kerr
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Marc Petit-Huguenin
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Andrew Sullivan
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Mark Andrews
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Basil Dolmatov
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Abley
- RE: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Hollenbeck, Scott
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Wassim Haddad
- PKIgate Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta