On Mon, Apr 28, 2014 at 4:46 PM, Trevor Freeman <[email protected]> wrote: > Hi Warren, > > Granted DNNSEC does not by itself provide encryption but that is like saying > X.509 does not do encryption, all it does is sign keys. Generally there are > two ways DNNSEC could be useful. One way, as you point out is to authenticate > encryption keys. The other way is to detect attempts to subvert DNS name > resolution which may induce me to disclose information to someone. We cannot > assume all pervasive monitoring is totally passive.
OK, fully agree. I just (re)read my email to you and realized I sounded like a jackass -- that was not my intent[0]. W [0]: When I am *intending* to sound like an ass, y'all will know :-P > > Trevor > > -----Original Message----- > From: Warren Kumari [mailto:[email protected]] > Sent: Monday, April 28, 2014 1:20 PM > To: Trevor Freeman > Cc: [email protected] > Subject: Re: [perpass] Is DNSDEC a viable technology for perpass? > > On Mon, Apr 28, 2014 at 2:38 PM, Trevor Freeman > <[email protected]> wrote: >> We have a range of technologies in the toolkit to address issues >> identified by perpass. >> >> >> >> One of the candidate technologies is DNSSEC. At a technology level it >> has much to commend it. >> >> > > For which aspects of perpass? DNSSEC provides no encryption, so the fact > that I'm browsing to something on www.nakedfurries.com is visible to all... > > Don't get me wrong -- I'm a big DNSSEC (and DANE :-)) proponent, but folk > often seem to miss the fact that DNSSEC doesn't do what the name implies... > > W > > > > >> >> The vast majority of critical TLDs are signed, so another good point >> in its favor. >> >> >> >> However when you look at the next tier down, the statistics point to a >> problem. >> >> >> >> According to the Verisign labs scoreboard, 340K+ domains in the .com >> namespace are secured by DNSSEC >> >> http://scoreboard.verisignlabs.com/ >> >> >> >> If you express that number as % that is about 0.4% and the growth >> trend is about 0.1% per year >> >> http://scoreboard.verisignlabs.com/percent-trace.png >> >> >> >> The trend seems about 2 orders of magnitude below where we need to be >> for DNSSEC to be viable in a realistic timescale. >> >> >> >> Am I misinterpreting the data? If not, then do we have consensus on >> what is blocking deployment? >> >> >> >> Trevor >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> perpass mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/perpass >> _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
