On Mar 1, 2010, at 8:34 AM, Joe Baptista wrote:
Please remember the Kaminsky dns bug did not identify a security problem with
the DNS but the UDP transport.
The problem Dan Kaminsky exploited is a known weakness in the DNS protocol,
specifically that a 16-bit identifier space is too small.
DNScurve fixes the problem today without having to spend 15 more years
getting it right.
Not really. Ignoring for the moment that there is a limited amount of deployed
software that supports DNScurve, DNScurve addresses the DNS protocol problem by
protecting the channel of communication. It doesn't actually protect DNS data.
And it does not cost a fortune to implement.
How much did it cost you to implement DNScurve? DId you make your code open
source or otherwise available?
And DNSSEC does not solve the UDP issue.
Actually, DNSSEC does address the DNS protocol issue by ensuring any
modification to DNS data can be identified. In the DNSSEC world, it no longer
matters how you get the DNS data or what channel the data comes over or how
secure that channel is. The same is not true of DNScurve.
And that is the problem DNScurve fixes NOW.
DNSSEC is already deployed in 12 top-level domains and the root is in the
process of being signed. Multiple interoperable implementations of DNSSEC
exist in production software.
Together let's exercise some common sense and support
draft-dempsky-dnscurve-01.
As has been pointed out on several occasions, DNSSEC and DNScurve are not
mutually exclusive. Of course, if you implement DNSSEC, the protections
provided by DNScurve are superfluous (and the opposite isn't true), but that
doesn't stop anyone from deploying both.
Regards,
-drc
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf