>As an opponent of DNSSEC opt-in back in the day, I think this is a
>poor example of NSA influence in the standards process.
>I do not challenge PHB's "theory that the NSA has plants in the
>IETF to discourage moves to strong crypto", particularly given John
>Gilmore's recent message on IPSEC, but I doubt that the NSA had any
>real influence on the DNSSEC opt-in debacle of 2003.
>First, DNSSEC does not provide confidentiality.  Given that, it's not
>clear to me why the NSA would try to stop or slow its deployment.

Insecure DNS deployments are probably in the top five attack vectors
for remotely compromising internal network topologies, even those
sporting split DNS configurations.  As you were "...deeply involved in the
IETF's DNSEXT working group" then I presume you know this.

For example, DNS cache poisoning attacks, local ARP cache spoofing
attacks to redirect DNS queries and responses, redirection of operating
system update and patching services that map to fully qualified domain
names such as "windowsupdate.microsoft.com", etc.

Correct me if I am wrong, but in my humble opinion the original intent
of the DNSSEC framework was to provide for cryptographic authenticity
of the Domain Name Service, not for confidentiality (although that
would have been a bonus).

>Lastly, the US DoD was funding some amount of work on DNSSEC at
>the time (i.e., my own participation).  During that timeframe,
>significant progress was being made on the deployability of DNSSEC,
>and I think the DoD funding helped.  Depending on your whims, you
>could either credit DoD for helping or blame them for not providing
>even more funding, which might have made for faster progress.

There are many different camps within the DoD.

The cryptography mailing list

Reply via email to