IETF Logo Mail Archive

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Martin Rex <mrex@sap.com> Thu, 25 February 2010 14:41 UTC

Return-Path: <mrex@sap.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CB6C128C15E for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 06:41:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.223
X-Spam-Level:
X-Spam-Status: No, score=-10.223 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pBPC5GWPNW7Q for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 06:41:18 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id B991E28C136 for <ietf@ietf.org>; Thu, 25 Feb 2010 06:41:17 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o1PEhLiF007682 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 25 Feb 2010 15:43:21 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201002251443.o1PEhKo3025263@fs4113.wdf.sap.corp>
Subject: Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
To: dot@dotat.at
Date: Thu, 25 Feb 2010 15:43:20 +0100
In-Reply-To: <alpine.LSU.2.00.1002251414570.16971@hermes-2.csi.cam.ac.uk> from "Tony Finch" at Feb 25, 10 02:15:07 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: Chris.Dearlove@baesystems.com, hallam@gmail.com, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 14:41:18 -0000

Tony Finch wrote:
> 
> On Thu, 25 Feb 2010, Martin Rex wrote:
> >
> > What does DNSCurve additionally provide
> > compared to a combination of traditional DNS with IPsec?
> 
> DNS-based keying.

That appears to be an illusion.

My impression is that DNScurve can only distribute public keys
of authoritative nameservers, not of the _much_ more common
caching nameservers, such as you find on firewalls/gateways,
e.g. every DSL-router.

I'm not sure that all of the nameservers operated by ISPs for
use with their customers are authoritative nameservers throughout.

And it appears to me that you either have to entirely abandon
recursive queries with DNScurve, or consider whatever DNScurve 
authoritative nameserver you ask for a recursive query to
be authoritative for then entire DNS universe.

If there is one thing that I like about the idea of signed
RRs in DNSsec, then it is the limitation of the authority
of that keys to DNS zones.  Creating fake keys and fake signed RRs
is still possible for an officially authoritative nameserver
for his delegated zones ("subdomains"), but not upwards
the DNS hierarchy and into other DNS zones. 

(I beg your pardon if I may have misunderstood the technology,
 and where I may be using inappropriate terminology.)

-Martin

v2.23.0 | Report a Bug | By Email