>As an opponent of DNSSEC opt-in back in the day, I think this is a >poor example of NSA influence in the standards process. > >I do not challenge PHB's "theory that the NSA has plants in the >IETF to discourage moves to strong crypto", particularly given John >Gilmore's recent message on IPSEC, but I doubt that the NSA had any >real influence on the DNSSEC opt-in debacle of 2003. > >First, DNSSEC does not provide confidentiality. Given that, it's not >clear to me why the NSA would try to stop or slow its deployment.
Insecure DNS deployments are probably in the top five attack vectors for remotely compromising internal network topologies, even those sporting split DNS configurations. As you were "...deeply involved in the IETF's DNSEXT working group" then I presume you know this. For example, DNS cache poisoning attacks, local ARP cache spoofing attacks to redirect DNS queries and responses, redirection of operating system update and patching services that map to fully qualified domain names such as "windowsupdate.microsoft.com", etc. Correct me if I am wrong, but in my humble opinion the original intent of the DNSSEC framework was to provide for cryptographic authenticity of the Domain Name Service, not for confidentiality (although that would have been a bonus). >Lastly, the US DoD was funding some amount of work on DNSSEC at >the time (i.e., my own participation). During that timeframe, >significant progress was being made on the deployability of DNSSEC, >and I think the DoD funding helped. Depending on your whims, you >could either credit DoD for helping or blame them for not providing >even more funding, which might have made for faster progress. There are many different camps within the DoD. _______________________________________________ The cryptography mailing list firstname.lastname@example.org http://www.metzdowd.com/mailman/listinfo/cryptography