Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Phillip Hallam-Baker <hallam@gmail.com> Wed, 24 February 2010 20:13 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A32893A859E for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 12:13:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.431
X-Spam-Level:
X-Spam-Status: No, score=-2.431 tagged_above=-999 required=5 tests=[AWL=0.168, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2M3XRm6Z+F76 for <ietf@core3.amsl.com>; Wed, 24 Feb 2010 12:13:40 -0800 (PST)
Received: from mail-iw0-f191.google.com (mail-iw0-f191.google.com [209.85.223.191]) by core3.amsl.com (Postfix) with ESMTP id 70A333A859C for <ietf@ietf.org>; Wed, 24 Feb 2010 12:13:12 -0800 (PST)
Received: by iwn29 with SMTP id 29so3682637iwn.31 for <ietf@ietf.org>; Wed, 24 Feb 2010 12:15:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=AWcjRIRWAljxC8XEZ14dtA5CduVhajZPSqmzjReJl+0=; b=ImAEWd/qJE0Lk7BT1VsHbq+Ei0wZbvwnT7qYiah7eyZteEcG0CJFfc7QMJg1oNkAZG DwSjz6Ya7B6JoexcekuivAT1KYkoml3OoJw/iPOwczyCdB+co6KLgf60PWoeZOeIICIC yOX2gd0JcUaJ3PlZu7LVDmKmxGwTwWvWB0hW8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=ObSHJlYlwGPQZzZX8kdRteH/YhL09hv5Gwa4i4aYasvSYluKhqF3uKzvtXilSw54XU c4Srkf+OunavHki2j07zfJFEW4RiwOdloJ4PTjUQNN7G2aYwcNfN6pYrJwVS46sTWdpU e4tdgK9Awhp7hqMbUfgMv5b1p2MXzGInWGTb8=
MIME-Version: 1.0
Received: by 10.231.79.193 with SMTP id q1mr32932ibk.59.1267042517302; Wed, 24 Feb 2010 12:15:17 -0800 (PST)
In-Reply-To: <alpine.LSU.2.00.1002241754550.16971@hermes-2.csi.cam.ac.uk>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <ABE739C5ADAC9A41ACCC72DF366B719D02C29D87@GLKMS2100.GREENLNK.NET> <a123a5d61002240700i4a68367tf901b91265f79da1@mail.gmail.com> <alpine.LSU.2.00.1002241754550.16971@hermes-2.csi.cam.ac.uk>
Date: Wed, 24 Feb 2010 15:15:17 -0500
Message-ID: <a123a5d61002241215r4710e63cn2e0594aefc1ce835@mail.gmail.com>
Subject: Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tony Finch <dot@dotat.at>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Thu, 25 Feb 2010 08:17:25 -0800
Cc: "Dearlove, Christopher (UK)" <Chris.Dearlove@baesystems.com>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2010 20:13:56 -0000
The same could be said of PGP when it was first launched. There was only one version of PGP against multiple PEM implementations. Phil Z. made clear he didn't give a wetslap about the patents.And I have been asking ICANN for months how I get a key for my DNS zones into the system and have never got a reply. Signing the .com zone is irrelevant until we have a process for putting the key in. Several people are aware that I am asking this question and will be speaking on DNSSEC at RSA next week. The fact that the answer has been invariably 'I will get back to you on that' and not 'here is the document you need to read' is itself rather significant. Note however, that I said that DNScurve could win, not that it would. The IETF response to Phil Z. was to tell him to get lost and not bother them. As a result PEM did not address the issues that Phil Z. raised, and Phil went off and wrote his own code. The PEM group could have taken Phil seriously instead, taken note of the objections and actually answered them. As a result we ended up with two systems, neither of which could have been as good as if the PEM folk had been willing to be more open. There is another approach to DNSSEC that could get us to market in a fraction of the time that current systems would, or DNScurve for that matter. Instead of positioning DNSSEC as an alternative to SSL certificates, co-opt the legacy base and more importantly the legacy infrastructure of domain validated certificate providers. There is a base of a million already issued certs out there. DNSSEC is way outside the comfort zone of most registrars, it is something that the SSL providers can easily support. Al that has been written or deployed so far is publication infrastructure. Nobody can deploy or test standards based validation infrastructure until the root is signed and a lot more happens besides. If DNSSEC is successful it will inevitably erode and eventually eliminate domain validated SSL certs. Which would provide a pretty big business incentive for the incumbents to oppose. If instead we make a minor adjustment of approach we could create a very major incentive for most of the SSL certificate issuers to back DNSSEC. On Wed, Feb 24, 2010 at 1:04 PM, Tony Finch <dot@dotat.at> wrote: > On Wed, 24 Feb 2010, Phillip Hallam-Baker wrote: > >> I took a look at DNSCurve. Some points: >> >> * It could certainly win. > > It has a LOT of catching up to do. DNScurve has no publicly available > implementations. DNSSEC will be deployed in the most important zones by > the end of this year. > >> * It considers real world requirements that DNSSEC does not. > > DNScurve ignores algorithm agility and patent problems. > > Tony. > -- > f.anthony.n.finch <dot@dotat.at> http://dotat.at/ > GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. > MODERATE OR GOOD. > -- -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/
- OpenDNS today announced it has adopted DNSCurve t… Joe Baptista
- RE: OpenDNS today announced it has adopted DNSCur… Dearlove, Christopher (UK)
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: OpenDNS today announced it has adopted DNSCur… tytso
- Re: OpenDNS today announced it has adopted DNSCur… Dave CROCKER
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Wes Hardaker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Steven M. Bellovin
- DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today a… Shane Kerr
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Marc Petit-Huguenin
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Hoffman
- Re: OpenDNS today announced it has adopted DNSCur… Andrew Sullivan
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Mark Andrews
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Nikos Mavrogiannopoulos
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Basil Dolmatov
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: OpenDNS today announced it has adopted DNSCur… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: OpenDNS today announced it has adopted DNSCur… Martin Rex
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: OpenDNS today announced it has adopted DNSCur… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: OpenDNS today announced it has adopted DNSCur… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: OpenDNS today announced it has adopted DNSCur… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Abley
- RE: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Hollenbeck, Scott
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! Florian Weimer
- Re: DNSCurve vs. DNSSEC - FIGHT! Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Phillip Hallam-Baker
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Joe Baptista
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… David Conrad
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Tony Finch
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Paul Wouters
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Wassim Haddad
- PKIgate Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Shumon Huque
- Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS tod… Masataka Ohta