onsdagen den 20 november 2002 19.27 skrev Brian J. Murrell: > On Wed, Nov 20, 2002 at 10:14:50AM -0700, Vincent Danen wrote: > > From where I sit, the only thing djbdns > > doesn't do is DNSSEC and DDNS, neither of which are useful to me. > > DNSSEC can be avoided by using tcprules to protect access to zone > > transfers. > > Vincent, I am sure you are aware of this, but for the benefit of those > following along, DNSSEC is about _a_lot_ more than just securing who > can zone transfer from you. It the infrastructure needed to make DNS > a PKI. It also adds integrity to a system that lacks any right now. > > UDP packets are trivial to forge (much more so trivial than TCP > packets), so it is relatively easy to cause all kinds of security > problems by means of forging DNS replies. People rely on the accuracy > of DNS replies all the time (much more than they should). DNSSEC adds > authenticity to DNS replies so that answers can be relied on to the > extent that people (blindly) rely on them today. > > On the PKI front, have you seen FreeSWAN's Opportunisitc Encryption > proposal? It uses the DNS to distribute and authenticate encryption > and authorization keys. This can only be done with any reliability > with DNSSEC.
I submitted a funny application yesterday into contribs, check "DNSSEC-Walker" ;) -- Regards // Oden Eriksson, Deserve-IT Networks Check the "Modules For Apache2" status page at: http://www.deserve-it.com/modules_for_apache2.html
