ietf
[Top] [All Lists]

Re: DNSCurve vs. DNSSEC - FIGHT! (was OpenDNS today announced it has adopted DNSCurve to secure DNS)

2010-03-01 11:20:22
On Mar 1, 2010, at 8:34 AM, Joe Baptista wrote:
Please remember the Kaminsky dns bug did not identify a security problem with 
the DNS but the UDP transport.

The problem Dan Kaminsky exploited is a known weakness in the DNS protocol, 
specifically that a 16-bit identifier space is too small. 

DNScurve fixes the problem today without having to spend 15 more years 
getting it right.

Not really.  Ignoring for the moment that there is a limited amount of deployed 
software that supports DNScurve, DNScurve addresses the DNS protocol problem by 
protecting the channel of communication. It doesn't actually protect DNS data.

And it does not cost a fortune to implement.

How much did it cost you to implement DNScurve?  DId you make your code open 
source or otherwise available?

And DNSSEC does not solve the UDP issue.

Actually, DNSSEC does address the DNS protocol issue by ensuring any 
modification to DNS data can be identified.  In the DNSSEC world, it no longer 
matters how you get the DNS data or what channel the data comes over or how 
secure that channel is.  The same is not true of DNScurve.

And that is the problem DNScurve fixes NOW.

DNSSEC is already deployed in 12 top-level domains and the root is in the 
process of being signed.  Multiple interoperable implementations of DNSSEC 
exist in production software.

Together let's exercise some common sense and support 
draft-dempsky-dnscurve-01.

As has been pointed out on several occasions, DNSSEC and DNScurve are not 
mutually exclusive.  Of course, if you implement DNSSEC, the protections 
provided by DNScurve are superfluous (and the opposite isn't true), but that 
doesn't stop anyone from deploying both.

Regards,
-drc

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf