[116492] in North American Network Operators' Group
Re: DNS hardening, was Re: Dan Kaminsky
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Aug 5 17:59:47 2009
Date: Wed, 5 Aug 2009 17:58:55 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: "John R. Levine" <johnl@iecc.com>
In-Reply-To: <alpine.BSF.2.00.0908051505440.54480@simone.lan>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, 5 Aug 2009 15:07:30 -0400 (EDT)
"John R. Levine" <johnl@iecc.com> wrote:
> >> 5 is 'edns ping', but it was effectively blocked because people
> >> thought DNSSEC would be easier to do, or demanded that EDNS PING
> >> (http://edns-ping.org) would offer everything that DNSSEC offered.
> >
> > I'm surprised you failed to mention
> > http://dnscurve.org/crypto.html, which is always brought up, but
> > never seems to solve the problems mentioned.
>
> dnscurve looks like a swell idea, but I wouldn't put it in the
> category of a hack as straightforward as the ones I listed. Also, at
> this point there appears to be neither code nor an implementable spec
> available since Dan is still fiddling with it.
>
As I understand it, dnscurve protects transmissions, not objects.
That's not the way DNS operates today, what with N levels of cache. It
may or may not be better, but it's a much bigger delta to today's
systems and practices than DNSSEC is.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
