NNSquad - Network Neutrality Squad
[ NNSquad ] Re: FW: [ga] the future .. DNS National Security and the ICANN clowns
Jason, On Tue, Apr 13, 2010 at 4:02 AM, Jason 'XenoPhage' Frisvold <xenophage0@gmail.com> wrote: > On Apr 12, 2010, at 6:29 PM, Lauren Weinstein wrote: >> Comments either way, anyone? > > I'm actually interested in a fair and balanced view of the two protocols. I've heard arguments from both sides. > > According to the DNSSEC crowd, DNSSEC secures everything, ensuring that updates to DNS cannot occur without proper crypto credentials. Of course, there's significant processor overhead required due to the need to verify signatures for each DNS query. Plus, they're using certificate-based security which means I need to buy a cert for each of my domains. This could be cost-prohibitive for the little guys. I've never heard the "DNSSEC crowd" claim that DNSSEC secures everything, in fact, back when I was teaching DNSSEC at a RIR, we bent over backwards to explain exactly what DNSSEC did and didn't secure. Admittedly, this was ~6 years ago, but back then DNSSEC didn't include "certificate-based security". AFAIK, it doesn't now. > > According to the DNSCurve crowd, they're using elliptical cryptography which allows low-cpu, very fast security checks. They're also using standard public-key cryptography, so there's no need to purchase certs. They also claim that everything is protected, moreso than DNSSEC, which they claim still has significant holes. > > Unfortunately, I have yet to see a balanced view of the two with proper arguments from both sides. From what I've observed, having both implemented djbdns and bind, I would lean more towards the djb side which seems to be lighter, sleeker, and more secure. > One could, in theory, do both! > I have also observed that DNSSEC has been mired in politics, design by committee (which even Paul Vixie himself will admit to) of course, as the IETF designed it. , and numerous issues throughout its existence. These, in my opinion, weigh heavily against its use. But, it appears that Vixie and Co. seem to have the ear of some very powerful people and have been able to convince the giants to move towards DNSSEC. > > I'm honestly at a loss as to which direction to move. As I run djb currently, DNSSEC is not possible without a complete infrastructure change. On the other hand, DNSCurve implementations are in their infancy. What's an engineer to do! As an engineer, ask yourself what is the problem you need to solve. Are you facing lots of MiM attacks? Kaminsky exploits? If you lean towards djbdns, then try DNSCurve. -- Cheers, McTim "A name indicates what we seek. An address indicates where it is. A route indicates how we get there." Jon Postel