ietf
[Top] [All Lists]

Re: Bruce Schneier's Proposal to dedicate November meeting to savingthe Internet from the NSA

2013-09-06 10:46:27


--On Friday, September 06, 2013 10:43 -0400 Joe Abley
<jabley(_at_)hopcount(_dot_)ca> wrote:

Can someone please tell me that BIND isn't being this stupid?

This thread has mainly been about privacy and confidentiality.
There is nothing in DNSSEC that offers either of those,
directly (although it's an enabler through approaches like
DANE to provide a framework for secure distribution of
certificates). If every zone was signed and if every response
was validated, it would still be possible to tap queries and
tell who was asking for what name, and what response was
returned.

Please correct me if I'm wrong, but it seems to me that
DANE-like approaches are significantly better than traditional
PKI ones only to the extent to which:

        - The entities needing or generating the certificates
        are significantly more in control of the associated DNS
        infrastructure than entities using conventional CAs are
        in control of those CAs.
        
        - For domains that are managed by registrars or other
        third parties (I gather a very large fraction of them at
        the second level), whether one believes those registrars
        or other operators have significantly more integrity and
        are harder to compromise than traditional third party CA
        operators.

best,
   john


<Prev in Thread] Current Thread [Next in Thread>