nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: dnscurve and DNS hardening, was Re: Dan Kaminsky

From: Skywing <Skywing () valhallalegends com>
Date: Wed, 5 Aug 2009 21:43:38 -0500
Of course, as long as an adversary in your packet path can force a seamless downgrade (e.g. to plain DNS or plain 
non-TLS SMTP), the hard security benefit is nowhere near as great as it's sometimes purported to be.  And this is a 
problem that we'll be stuck living with for a very long time as far as I can tell.

- S


-----Original Message-----
From: Naveen Nathan [mailto:naveen () calpop com] 
Sent: Wednesday, August 05, 2009 7:05 PM
To: John R. Levine
Cc: nanog () nanog org
Subject: Re: dnscurve and DNS hardening, was Re: Dan Kaminsky

On Wed, Aug 05, 2009 at 09:17:01PM -0400, John R. Levine wrote:

...

It seems to me that the situation is no worse than DNSSEC, since in both 
cases the software at each hop needs to be aware of the security stuff, or 
you fall back to plain unsigned DNS.


I might misunderstand how dnscurve works, but it appears that dnscurve
is far easier to deploy and get running. The issue is merely coverage.
How much of DNS do you want to protect. This is analagous to SMTP
security, the more MTAs that support TLS the proportional increase
of security in the system as a whole. Dnscurve appears to be another
form of opportunistic encryption, the more servers that employ dnscurve
means an accretion in security of DNS as a whole.
Previous By Date Next
Previous By Thread Next

Current thread: