On Thu, 25 Feb 2010, Phillip Hallam-Baker wrote:
What does DNSCurve additionally provide
compared to a combination of traditional DNS with IPsec?
They appear to have an interest in actually listening to real world
requirements.
Of course a combination of DNS and IPSec would be a better solution.
It would have the same flaw. You cannot expect to ask various DNS
servers in a row perfectly encrypted DNS data, then start an encrypted
browser session to 74.125.77.19, and expect people not to know you
just went to gmail.com. DNSCurve might have obfuscated some of your
queries, but any eavesdropping still knows exactly what DNS you looked
up and where you went to.
Once you realise encryption of DNS is not really possible, what is it
that DNSCurve offers that DNSSEC does not? Nothing. And previous postings
have illustrated the long list of shortcomings in DNSCurve over DNSSEC.
It is not that difficult for Vint Cerf and Steve Crocker to get
Microsoft to put checkbox support for DNSSEC protocol into their
product. Getting a feature added to a Linux distribution is even
easier. But there is a huge difference between doing that and getting
a commitment to support it.
How many TLD's does it take for people to finally say DNSSEC is adopted?
See www.xelerance.com/dnssec/ for a google map.
At the moment this is being left to DNS registrars, most of which have
no idea what a CPS or a CP is and have no interest in finding out.
Many IETF people are active in the DNSSEC Coalition, a group of DNS experts
that is helping them solve that problem properly. The Registrars are not
"left to die". Far from it.
Paul
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf