On Fri, Jun 5, 2009 at 8:32 AM, Masataka Ohta <
mohta(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp> wrote:
So, let's throw away DNSSEC and the broken-from-the-beginning
idea of bailiwick. Let's move on to lock the doors and windows.
Words of wisdom. I however propose we do not throw it away. I propose it
be allowed to wither on the vine until DNSSEC life signs show it as being
dead. Then the IETF can then do it's job and give it the proper burial it
deserves.
I propose all developers simply secure the DNS. A transparent solution tha
is available NOW - is DNSCurve. Will ensure the end to end transport of DNS
UDP packets is secure. And that basically fixes once and for all the
insecurity we have in the UDP transport.
DNSCurve encrypts all DNS packets. DNSSEC does not.
DNSCurve cryptographically authenticates all DNS responses, eliminating
forged DNS packets. DNSSEC does not.
DNSCurve very quickly recognizes and discards forged packets, so attackers
have much more trouble preventing DNS data from getting through. DNSSEC does
not.
so I ask you - who wins the cookie in this race?
regards
joe baptista
--
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084
Personal: www.joebaptista.wordpress.com
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf