Hi Warren, Granted DNNSEC does not by itself provide encryption but that is like saying X.509 does not do encryption, all it does is sign keys. Generally there are two ways DNNSEC could be useful. One way, as you point out is to authenticate encryption keys. The other way is to detect attempts to subvert DNS name resolution which may induce me to disclose information to someone. We cannot assume all pervasive monitoring is totally passive.
Trevor -----Original Message----- From: Warren Kumari [mailto:[email protected]] Sent: Monday, April 28, 2014 1:20 PM To: Trevor Freeman Cc: [email protected] Subject: Re: [perpass] Is DNSDEC a viable technology for perpass? On Mon, Apr 28, 2014 at 2:38 PM, Trevor Freeman <[email protected]> wrote: > We have a range of technologies in the toolkit to address issues > identified by perpass. > > > > One of the candidate technologies is DNSSEC. At a technology level it > has much to commend it. > > For which aspects of perpass? DNSSEC provides no encryption, so the fact that I'm browsing to something on www.nakedfurries.com is visible to all... Don't get me wrong -- I'm a big DNSSEC (and DANE :-)) proponent, but folk often seem to miss the fact that DNSSEC doesn't do what the name implies... W > > The vast majority of critical TLDs are signed, so another good point > in its favor. > > > > However when you look at the next tier down, the statistics point to a > problem. > > > > According to the Verisign labs scoreboard, 340K+ domains in the .com > namespace are secured by DNSSEC > > http://scoreboard.verisignlabs.com/ > > > > If you express that number as % that is about 0.4% and the growth > trend is about 0.1% per year > > http://scoreboard.verisignlabs.com/percent-trace.png > > > > The trend seems about 2 orders of magnitude below where we need to be > for DNSSEC to be viable in a realistic timescale. > > > > Am I misinterpreting the data? If not, then do we have consensus on > what is blocking deployment? > > > > Trevor > > > > > > > > > > > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass > _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
