NNSquad - Network Neutrality Squad
[ NNSquad ] Re: FW: [ga] the future .. DNS National Security and the ICANN clowns
On Apr 12, 2010, at 10:53 PM, McTim wrote: > Jason, > I've never heard the "DNSSEC crowd" claim that DNSSEC secures > everything, in fact, back when I was teaching DNSSEC at a RIR, we bent > over backwards to explain exactly what DNSSEC did and didn't secure. > Admittedly, this was ~6 years ago, but back then DNSSEC didn't include > "certificate-based security". AFAIK, it doesn't now. I could be wrong about the certificates... However, I do know that the system is apparently based on a very strict chain of trust, very much like how the certificate system for SSL works. One parent, several children. DNSCurve, on the other hand, seems to be more like PGP/GPG in that you can gain trust on a given key, but the compromise of a single key doesn't compromise the rest. >> Unfortunately, I have yet to see a balanced view of the two with proper arguments from both sides. From what I've observed, having both implemented djbdns and bind, I would lean more towards the djb side which seems to be lighter, sleeker, and more secure. > > One could, in theory, do both! I had heard this as well, and, currently, it appears that both may be necessary moving forward, at least until there's a clear "winner," as it were... But then again, it may also be that each has a specific purpose and we are more secure by using both instead of leaving one by the wayside. > As an engineer, ask yourself what is the problem you need to solve. > Are you facing lots of MiM attacks? Kaminsky exploits? If you lean > towards djbdns, then try DNSCurve. Personally, I'm not facing either, but I'm concerned about security nonetheless. Additionally, these are technologies that can be leveraged for marketing as well. I hate marketing, but it is a necessary evil. I can easily see someone explaining DNSSEC vs DNSCurve in some simplistic manner that weighs heavily in one direction or another.. Spin it, as it were, and use it as a selling point.. Marketing always seems to have this way of throwing the facts out the window... > -- > Cheers, > > McTim > "A name indicates what we seek. An address indicates where it is. A > route indicates how we get there." Jon Postel --------------------------- Jason 'XenoPhage' Frisvold xenophage0@gmail.com --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law