On Wednesday, November 20, 2002, at 11:27 AM, Brian J. Murrell wrote:
To be honest, I haven't paid much attention to dnssec. I've not come across a situation where I required it, and my understanding is that the protocol is not finished yet. To that end, I'd be more likely to look at it when a) it's done and b) I need it.From where I sit, the only thing djbdns doesn't do is DNSSEC and DDNS, neither of which are useful to me. DNSSEC can be avoided by using tcprules to protect access to zone transfers.Vincent, I am sure you are aware of this, but for the benefit of those following along, DNSSEC is about _a_lot_ more than just securing who can zone transfer from you. It the infrastructure needed to make DNS a PKI. It also adds integrity to a system that lacks any right now.
Adding integrity to DNS is a good idea. I'll obviously have to read the proposal because I don't see, right now, how this would actually work. I mean, understand how other PKI works, but I don't see how dnssec would work.
Something to add to my TODO list.
Agreed on the forging. Will have to read the relevant RFC to understand how the authenticity will work.UDP packets are trivial to forge (much more so trivial than TCP packets), so it is relatively easy to cause all kinds of security problems by means of forging DNS replies. People rely on the accuracy of DNS replies all the time (much more than they should). DNSSEC adds authenticity to DNS replies so that answers can be relied on to the extent that people (blindly) rely on them today.
No... I don't have time to read all the proposals out there. But I can see that I don't like it already. I understand that something like dnssec would be required for this to be valid, but what I don't see is why use DNS in the first place.On the PKI front, have you seen FreeSWAN's Opportunisitc Encryption proposal? It uses the DNS to distribute and authenticate encryption and authorization keys. This can only be done with any reliability with DNSSEC.
DNS is being extended too much away from what it was originally designed to do. Personally, I think DNS should stay with DNS... heck, if we're going to do this, we might as well distribute gpg keys via DNS as well.
Too much being bootstrapped to what was originally a relatively simple protocol. Sounds like an MS-complex to me. =)
Not to say that once it's done it couldn't work well. But, to my (in this area) uneducated mind, it seems... clumsy. That's the only word I can think of that fits.
But, again, for me to me make any kind of educated agreement or disagreement, I'd have to read the various RFCs and proposals.
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
PGP.sig
Description: PGP signature
