On 02/24/10 01:25, Jonathan de Boyne Pollard wrote:
DNScurve advocates, on the other hand, point out that DNS isn't
encrypted. Well, neither is the phone book. So what?
So the protocol is vulnerable to both local and remote forgery attacks,
just like other unencrypted protocols
<http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/proxy-server-back-ends.html>.
For any that don't understand this point, there's a simple thought to
prod them in the right direction: Do you remember why SSH and SSL were
invented?
Do you understand the difference between encryption and authentication?
SSH and SSL do both because they protect the payload, which may be
sensitive, AND they want to verify that the server you're talking to is
really the one you want. DNS only needs authentication. DNSSEC
prevents forgery without encrypting the payload.
Do you remember, say, the forgery problems with TELNET and
HTTP?
The bigger problems with TELNET and HTTP were that they could be sniffed
on the wire to get confidential information like passwords. Forgery was
conveniently solved by cryptography along the way, but confidentiality
was in issue with these protocols, unlike with DNS.
The /very same problems exist/ for unencrypted UDP/IP protocols
such as DNS and NTP. And the solution is the same, too.
Yes, cryptographic signatures, not full encryption. Just like NTP with
Autokey.
michael
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
