On Wed, Nov 20, 2002 at 02:45:27PM -0700, Vincent Danen wrote: > > To be honest, I haven't paid much attention to dnssec. I've not come > across a situation where I required it, and my understanding is that > the protocol is not finished yet. To that end, I'd be more likely to > look at it when a) it's done and b) I need it.
Well, being a security "paranoid" (as am I) you do need it... now. DNS is an insecure system based completely on "trusting souls". > Adding integrity to DNS is a good idea. I'll obviously have to read > the proposal because I don't see, right now, how this would actually > work. Signed DNS requests and (more importantly) replies? I am sure you could imagine, but to give just a rough picture, (from what I have read of it) every DNS server (interested in ensure the integrity of it's communications) has a certificate which is signed by an authority, usually, your upstream DNS provider. From then on it's pretty basic certificate chain type processing. > I mean, understand how other PKI works, but I don't see how > dnssec would work. DNS as a PKI is simply the distribution of encryption keys via the DNS. Signed of course. Who wants a key that nobody has ensured any trust in? > No... I don't have time to read all the proposals out there. But I > can see that I don't like it already. I understand that something like > dnssec would be required for this to be valid, but what I don't see is > why use DNS in the first place. Because the DNS is basically a directory service, and it's out there and it's mature. > DNS is being extended too much away from what it was originally > designed to do. I don't think so. But of course that is just my opinion. DNS is just a directory service that was designed around serving up names and addresses. Having it serve up other information is not that much of a stretch. > Personally, I think DNS should stay with DNS... heck, > if we're going to do this, we might as well distribute gpg keys via DNS > as well. You betcha! http://josefsson.org/gpgkeys_jkp/draft-josefsson-cert-openpgp.txt > Not to say that once it's done it couldn't work well. But, to my (in > this area) uneducated mind, it seems... clumsy. That's the only word I > can think of that fits. Why develop (and depoly!!) a new protocol and service to do essentially the same thing as DNS for only slightly differnt kinds of data. b. -- Brian J. Murrell
msg81855/pgp00000.pgp
Description: PGP signature
