IETF Logo Mail Archive

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

David Conrad <drc@virtualized.org> Thu, 25 February 2010 16:59 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 78F1F28C3DA for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 08:59:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.239
X-Spam-Level:
X-Spam-Status: No, score=-6.239 tagged_above=-999 required=5 tests=[AWL=0.360, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Lj+hxa0EQlK for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 08:59:36 -0800 (PST)
Received: from virtualized.org (trantor.virtualized.org [204.152.189.190]) by core3.amsl.com (Postfix) with ESMTP id CE09D28C37B for <ietf@ietf.org>; Thu, 25 Feb 2010 08:59:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by virtualized.org (Postfix) with ESMTP id 25C22ACFC92; Thu, 25 Feb 2010 09:01:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at virtualized.org
Received: from virtualized.org ([127.0.0.1]) by localhost (trantor.virtualized.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZFkUWyoI5-WA; Thu, 25 Feb 2010 09:01:38 -0800 (PST)
Received: from [10.96.18.220] (wlan39-033.mdr.icann.org [192.0.39.33]) by virtualized.org (Postfix) with ESMTP id C5947ACFC83; Thu, 25 Feb 2010 09:01:37 -0800 (PST)
Subject: Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: David Conrad <drc@virtualized.org>
In-Reply-To: <alpine.LFD.1.10.1002251136250.1697@newtla.xelerance.com>
Date: Thu, 25 Feb 2010 09:01:08 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <D006A2A6-2CDE-4AEA-99DB-D8CFED59D7E3@virtualized.org>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <ABE739C5ADAC9A41ACCC72DF366B719D02C29D87@GLKMS2100.GREENLNK.NET> <sdzl2yvgru.fsf@wjh.hardakers.net> <874c02a21002240835u7cf4bf60y510cbbc870727852@mail.gmail.com> <20100224165011.GF5166@thunk.org> <a123a5d61002240944l3944a8acy804a1d819bf2cc3d@mail.gmail.com> <20100224142926.21d929c0@yellowstone.machshav.com> <a123a5d61002241239i16abd52cn5e8dda15a1dd55b0@mail.gmail.com> <alpine.LFD.1.10.1002251136250.1697@newtla.xelerance.com>
To: Paul Wouters <paul@xelerance.com>
X-Mailer: Apple Mail (2.1077)
Cc: Phillip Hallam-Baker <hallam@gmail.com>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 16:59:40 -0000

On Feb 25, 2010, at 8:41 AM, Paul Wouters wrote:
> On Wed, 24 Feb 2010, Phillip Hallam-Baker wrote:
>> I would like to see us create an assumption that a given machine will
>> only use recursive resolution services from a specific trusted source.
> 
> Trust no one.

You have to trust someone.  Really.

> More and more devices will do their own DNSSE validation,
> and just use caches to get the data.

This must means those devices trust your their validator (and the operating system it is running on).  Which is fine (and, in fact, what I'd argue is the right answer), but it means you have to figure out how to securely obtain and install the root trust anchor (or the TLD trust anchors or the DLV trust anchor).

>> [Oh we are so not close to being done with deployment here. If turning
>> on DNSSEC means the typical Web surfer cannot get their WiFi access at
>> Panera without reconfiguring their machine then DNSSEC is stone cold
>> dead.]

You have to do this in many cases with non-DNSSEC DNS already.  T-Mobile Hot Spot service, for example, requires you to use their DNS servers so you can't run your own validator.  It really is quite annoying.

Regards,
-drc

v2.23.0 | Report a Bug | By Email