IETF Logo Mail Archive

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

Nikos Mavrogiannopoulos <nmav@gnutls.org> Thu, 25 February 2010 07:53 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42AE13A85EE for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 23:53:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tjUPI13-HX3L for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 23:53:43 -0800 (PST)
Received: from mail-fx0-f213.google.com (mail-fx0-f213.google.com [209.85.220.213]) by core3.amsl.com (Postfix) with ESMTP id 4E5003A67F0 for <ietf@ietf.org>; Wed, 24 Feb 2010 23:53:43 -0800 (PST)
Received: by fxm5 with SMTP id 5so6122273fxm.29 for <ietf@ietf.org>; Wed, 24 Feb 2010 23:55:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=WFF4OY4aamBTkRKhAdju5GmKkF0yeUiH73owezimz2Y=; b=lkE5JapiMuhqj3qoqwMUuzdH5a6/+leG+vCEDnp2iEg1iDe7UnxI3lyj+kHZF2yuc1 3DTWUOEERqV2qSA0u0HGeNCggFCNvkw9jZfj8SzH/aBG6TbR2+Oa3yePHwa+C9+2lXR8 MNyb/Tz3/fdcNmNOvBxuRywgjKwQntvwbpKFE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=iE5Z2swyBbvsnwWYM7G7CrEv8PzAKhA7W6WdA2COQ03255KraPYNnD0vEviH50zrlZ BtzzhKH4RUcXjoKg7MxOwb/32RJICxoJpyD4HZ8dw/b3bBhRAUThBiR5PusAmN9JCn7w HPwIYnPtLKZhcqqWgPIizi0ORYls8piEOU4ZI=
Received: by 10.102.16.25 with SMTP id 25mr602589mup.40.1267084549848; Wed, 24 Feb 2010 23:55:49 -0800 (PST)
Received: from ?10.100.2.14? (78-23-67-218.access.telenet.be [78.23.67.218]) by mx.google.com with ESMTPS id i7sm13032397mue.34.2010.02.24.23.55.48 (version=SSLv3 cipher=RC4-MD5); Wed, 24 Feb 2010 23:55:49 -0800 (PST)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4B862D03.7060602@gnutls.org>
Date: Thu, 25 Feb 2010 08:55:47 +0100
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Subject: Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <ABE739C5ADAC9A41ACCC72DF366B719D02C29D87@GLKMS2100.GREENLNK.NET> <a123a5d61002240700i4a68367tf901b91265f79da1@mail.gmail.com> <1267039830.9710.11106.camel@shane-asus-laptop> <alpine.LSU.2.00.1002242049510.16971@hermes-2.csi.cam.ac.uk> <p06240819c7ab46c7fbf9@10.20.30.158> <4B859F15.9080106@acm.org> <4B85B7E5.1000104@necom830.hpcl.titech.ac.jp> <201002242347.o1ONlt7L023898@drugs.dv.isc.org> <4B85BF52.7030004@necom830.hpcl.titech.ac.jp> <c331d99a1002241619y47f91f50g4433a7233350dc74@mail.gmail.com> <4B85DBCA.2060407@necom830.hpcl.titech.ac.jp>
In-Reply-To: <4B85DBCA.2060407@necom830.hpcl.titech.ac.jp>
X-Enigmail-Version: 0.95.7
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 07:53:44 -0000

Masataka Ohta wrote:
> Nikos Mavrogiannopoulos wrote:
> 
>> Not really. I Don't know what you mean by simple nonce, but as I
>> understand dnscurve if implemented properly would have ssh-style
>> authentication.
> 
> Ssh without secure public key distribution mechanism is not really
> secure cryptographically.
> 
> In general, public key cryptography is scure only if public key
> distribution is secure.

Well as far as I know ssh works pretty well today and this model can be
easy made verifiable (i.e. secure as you say) by the administrator
verifying the keys of upstream.

Being "secure" heavily depends on what your requirements are and from
whom you are protecting from. Is a typical bank in europe secure? Can a
general go with an armory division and take the money? Of course he can,
but banks don't consider this a threat.

regards,
Nikos

v2.23.0 | Report a Bug | By Email