On 12/7/2014 2:02 PM, Bill Horne wrote:
Of course, theory and practice often differ in security, and we've all
met mister "JustDoItOrYou'reFired" who likes to tell us to break the
rules, but that isn't a technical problem. A well designed security
suite will give Joe the option of sending his reports by encrypting them
first with a few key clicks.

Therein lies what I consider to be the most egregious flaw in DNSSEC from an end user's perspective: no choice. Joe has no choice but to use it and accept that he can't work at all when it comes under attack assuming DNSSEC is being enforced which is contrary to DNSSEC mandatory requirements but that's a tangent. I'm not saying that DNSSEC is flawed (well, I think it is, but that's another tangent). I'm saying that DNSSEC is not an end user's tool and that you're going to experience serious problems if you try to use it as one.

In my opinion, a well-designed -- that is, well-designed for end users -- secure DNS system should provide reliable, authenticated answers despite attacks made against the system. DNSSEC does not do this. It doesn't try because, like I wrote way back at the start of all this, it's a last hop issue that lies outside of the scope of DNSSEC.

A few days ago Ed posited that we'll get there someday. Truth is, we've been there for some time. With DNSCurve and DNSCrypt we have exactly the kinds of encrypted DNS service that he called for. Why haven't they been widely adopted? I figure it's a "Paul Vixie, yes! DJB, no!" issue.

--
Rich P.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss

Reply via email to