On Sat, 7 Sep 2013, Gregory Perry wrote:

Insecure DNS deployments are probably in the top five attack vectors
for remotely compromising internal network topologies, even those
sporting split DNS configurations.  As you were "...deeply involved in the
IETF's DNSEXT working group" then I presume you know this.

Correct me if I am wrong, but in my humble opinion the original intent
of the DNSSEC framework was to provide for cryptographic authenticity
of the Domain Name Service, not for confidentiality (although that
would have been a bonus).

Yes that was the original intent, but I remember the reason for optin
was that it was impossible to realisticly fit the .com zone in the RAM
of modern servers at the time. Also signing would have taken much longer
to generate all the NSEC(3) records.

In general, the TLDs preferred a phased-in deployment where they could
exchange hardware over time. That is what optin offered, at the expense
of making spoofing just a tiny bit harder instead of much harder for
non-DNSSEC domains. Seems like a normal economical based decision to me.

These days, I don't think anyone should still run with opt-in anymore.

There are many different camps within the DoD.

About as many as we have cryptography and cypherpunks mailing lists :P

Paul
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Reply via email to