IETF Logo Mail Archive

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

Paul Wouters <paul@xelerance.com> Thu, 25 February 2010 16:29 UTC

Return-Path: <paul@xelerance.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E516F3A86DE for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 08:29:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.562
X-Spam-Level:
X-Spam-Status: No, score=-2.562 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AgPyAwWMOTmt for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 08:29:01 -0800 (PST)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by core3.amsl.com (Postfix) with ESMTP id 8DAA728C1AE for <ietf@ietf.org>; Thu, 25 Feb 2010 08:29:01 -0800 (PST)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) by newtla.xelerance.com (Postfix) with ESMTP id 6E346BFE7; Thu, 25 Feb 2010 11:31:12 -0500 (EST)
Date: Thu, 25 Feb 2010 11:31:12 -0500
From: Paul Wouters <paul@xelerance.com>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Subject: Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
In-Reply-To: <4B862D03.7060602@gnutls.org>
Message-ID: <alpine.LFD.1.10.1002251126130.1697@newtla.xelerance.com>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <ABE739C5ADAC9A41ACCC72DF366B719D02C29D87@GLKMS2100.GREENLNK.NET> <a123a5d61002240700i4a68367tf901b91265f79da1@mail.gmail.com> <1267039830.9710.11106.camel@shane-asus-laptop> <alpine.LSU.2.00.1002242049510.16971@hermes-2.csi.cam.ac.uk> <p06240819c7ab46c7fbf9@10.20.30.158> <4B859F15.9080106@acm.org> <4B85B7E5.1000104@necom830.hpcl.titech.ac.jp> <201002242347.o1ONlt7L023898@drugs.dv.isc.org> <4B85BF52.7030004@necom830.hpcl.titech.ac.jp> <c331d99a1002241619y47f91f50g4433a7233350dc74@mail.gmail.com> <4B85DBCA.2060407@necom830.hpcl.titech.ac.jp> <4B862D03.7060602@gnutls.org>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, Paul Hoffman <paul.hoffman@vpnc.org>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 16:29:03 -0000

On Thu, 25 Feb 2010, Nikos Mavrogiannopoulos wrote:

>> Ssh without secure public key distribution mechanism is not really
>> secure cryptographically.
>>
>> In general, public key cryptography is scure only if public key
>> distribution is secure.
>
> Well as far as I know ssh works pretty well today and this model can be
> easy made verifiable (i.e. secure as you say) by the administrator
> verifying the keys of upstream.

It already is, using DNSSEC.

dig +dnssec -t sshfp www.xelerance.org

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 1

;; ANSWER SECTION:
www.xelerance.org.	7200	IN	SSHFP	1 1 F79BDD2C882A9AC575198D507DE89D9B38145F00
www.xelerance.org.	7200	IN	SSHFP	2 1 B0B26D4895F3628AA721DAA0DB1B8236AFF02BF2
www.xelerance.org.	7200	IN	RRSIG	SSHFP 5 3 7200 20100306233849 20100220075947 58970 xelerance.org. HgME4vnp12/NhZKRUP7YVrSs6aXPeUvaWSoZ1FIS1Mk/8o9qIQgSb8k3 nC9LiQ8HjwGgVf7T2fSywvvW2KrlnFg8geJPSuMPEFXA41eXLUcmHHxr YQNfxkNnoJPz1iayk9tPjhKtfGwQuoL+hWiGUpnnjBKKU8hiCww4UjN4 yMo=


And from "man ssh_config":

      VerifyHostKeyDNS
              Specifies whether to verify the remote key using DNS and SSHFP
              resource records.  If this option is set to “yes”, the client
              will implicitly trust keys that match a secure fingerprint from
              DNS.  Insecure fingerprints will be handled as if this option was
              set to “ask”.  If this option is set to “ask”, information on
              fingerprint match will be displayed, but the user will still need
              to confirm new host keys according to the StrictHostKeyChecking
              option.  The argument must be “yes”, “no”, or “ask”.  The default
              is “no”.  Note that this option applies to protocol version 2
              only.

              See also VERIFYING HOST KEYS in ssh(1).

Paul

v2.23.0 | Report a Bug | By Email