IETF Logo Mail Archive

DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

Shane Kerr <shane@isc.org> Wed, 24 February 2010 19:31 UTC

Return-Path: <shane@isc.org>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 44C523A857A for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 11:31:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNKhc2UOHpD4 for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 11:31:55 -0800 (PST)
Received: from farside.isc.org (farside.isc.org [204.152.187.5]) by core3.amsl.com (Postfix) with ESMTP id 736CD3A84D4 for <ietf@ietf.org>; Wed, 24 Feb 2010 11:31:55 -0800 (PST)
Received: from [IPv6:2001:610:719:1:221:5dff:fe1e:113a] (unknown [IPv6:2001:610:719:1:221:5dff:fe1e:113a]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by farside.isc.org (Postfix) with ESMTP id EAA9EE60B3; Wed, 24 Feb 2010 19:30:40 +0000 (UTC) (envelope-from shane@isc.org)
Subject: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
From: Shane Kerr <shane@isc.org>
To: Phillip Hallam-Baker <hallam@gmail.com>
In-Reply-To: <a123a5d61002240700i4a68367tf901b91265f79da1@mail.gmail.com>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <ABE739C5ADAC9A41ACCC72DF366B719D02C29D87@GLKMS2100.GREENLNK.NET> <a123a5d61002240700i4a68367tf901b91265f79da1@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Organization: ISC
Date: Wed, 24 Feb 2010 20:30:30 +0100
Message-ID: <1267039830.9710.11106.camel@shane-asus-laptop>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.1
Content-Transfer-Encoding: 7bit
Cc: IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2010 19:31:56 -0000

Phillip,

On Wed, 2010-02-24 at 10:00 -0500, Phillip Hallam-Baker wrote:
> I took a look at DNSCurve. Some points:
> 
> * It could certainly win.
> * It is designed as a hack rather than an extension.
> * It considers real world requirements that DNSSEC does not.
> 
> On the 'winning' front. Have people noticed that the IETF has only
> ever succeeded in developing security standards by appropriating
> systems that had already defeated the IETF generated solution? PGP was
> not developed in house, it was a reaction to PEM. SSL was developed by
> Netscape. X.509 came from OSI.

DNSCurve and DNSSEC are orthogonal, and solve different - if related -
problems.

DNSSEC declares out of scope:

      * the channel where DS records get added to the parent
      * encryption (which I think DNSCurve provides)

DNSCurve declares out of scope:

      * the channel where the magic NS records get added to the parent
      * the channel where records get sent from the parent to the name
        servers in the RRSET
      * master or slave name server compromises
      * off-line secret key handling

Depending on what you consider important, either technology may or may
not be what you want. You could, in principle, use both, and it actually
would provide different types of security.

--
Shane

v2.23.0 | Report a Bug | By Email