Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Kevin Oberman wrote: Date: Mon, 08 Mar 2010 10:03:26 -0800 From: Michael Sinatra mich...@rancid.berkeley.edu Sender: bind-users-bounces+oberman=es@lists.isc.org On 3/7/10 10:46 AM, Danny Mayer wrote: Autokey is not a cryptographic signature protocol. It *is* a authentication protocol for the server only and there are a number of exchanges that need to be done to complete the authentication of the server. You cannot compare this with DNSSEC and nothing in NTP is encrypted. Correct, the comparison was only to point out that Autokey, like DNSSEC, doesn't encrypt payload because it doesn't need to. More specifically, I don't WANT to encrypt the data for either DNS or NTP. In both cases I want the data to always be signed clear-text and that is what DNSSEC does. I'll put it stronger than that. DNSSEC authenticates the server's *response* and does it in one packet while autokey authenticates the *server* itself and it takes a number of exchanges of packets before the client will consider the server as authenticated and it can rely on the authenticated packets after that. Danny -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On 3/7/10 10:46 AM, Danny Mayer wrote: Autokey is not a cryptographic signature protocol. It *is* a authentication protocol for the server only and there are a number of exchanges that need to be done to complete the authentication of the server. You cannot compare this with DNSSEC and nothing in NTP is encrypted. Correct, the comparison was only to point out that Autokey, like DNSSEC, doesn't encrypt payload because it doesn't need to. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Date: Mon, 08 Mar 2010 10:03:26 -0800 From: Michael Sinatra mich...@rancid.berkeley.edu Sender: bind-users-bounces+oberman=es@lists.isc.org On 3/7/10 10:46 AM, Danny Mayer wrote: Autokey is not a cryptographic signature protocol. It *is* a authentication protocol for the server only and there are a number of exchanges that need to be done to complete the authentication of the server. You cannot compare this with DNSSEC and nothing in NTP is encrypted. Correct, the comparison was only to point out that Autokey, like DNSSEC, doesn't encrypt payload because it doesn't need to. More specifically, I don't WANT to encrypt the data for either DNS or NTP. In both cases I want the data to always be signed clear-text and that is what DNSSEC does. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Michael Sinatra wrote: On 02/24/10 01:25, Jonathan de Boyne Pollard wrote: DNScurve advocates, on the other hand, point out that DNS isn't encrypted. Well, neither is the phone book. So what? So the protocol is vulnerable to both local and remote forgery attacks, just like other unencrypted protocols http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/proxy-server-back-ends.html. For any that don't understand this point, there's a simple thought to prod them in the right direction: Do you remember why SSH and SSL were invented? Do you understand the difference between encryption and authentication? SSH and SSL do both because they protect the payload, which may be sensitive, AND they want to verify that the server you're talking to is really the one you want. DNS only needs authentication. DNSSEC prevents forgery without encrypting the payload. Do you remember, say, the forgery problems with TELNET and HTTP? The bigger problems with TELNET and HTTP were that they could be sniffed on the wire to get confidential information like passwords. Forgery was conveniently solved by cryptography along the way, but confidentiality was in issue with these protocols, unlike with DNS. The /very same problems exist/ for unencrypted UDP/IP protocols such as DNS and NTP. And the solution is the same, too. Yes, cryptographic signatures, not full encryption. Just like NTP with Autokey. Autokey is not a cryptographic signature protocol. It *is* a authentication protocol for the server only and there are a number of exchanges that need to be done to complete the authentication of the server. You cannot compare this with DNSSEC and nothing in NTP is encrypted. Danny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Jonathan de Boyne Pollard wrote: That's also nothing to do with DNSCurve. You weren't making a DNSCurve query there. You were simply querying, with an ordinary DNS query, a proxy DNS server that is under someone else's control and getting the view of the DNS namespace that that someone else chose to give to you. OpenDNS have subverted you (inasmuch as one can call accepting control of the DNS namespace from people who deliberately hand it over to them subversion) entirely without DNSCurve. This is simply the well-known risk of using other people's proxy servers. There's nothing new here, and nothing related to DNSCurve here. I fully understand that this was not a DNSCurve query. My point was that this ability of OpenDNS will go away if and when they choose a technology that actually provides end-to-end validation of the DNS query/response in question. Why would OpenDNS adopt a technology that destroys their own business model? They argue against DNSSEC, yet they implement DNSCurve. Interesting... Anyway, this has gone far enough off-topic (bind-users) that I'm going to curtail my responses here. Feel free to follow up with me directly if you'd like. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Joe Baptista wrote: ORG and GOV and quite a lot of the ccTLD's are DNSSEC compatible, so I don't actually think it'd be much of a horserace if compatibility is all you're looking for. I agree they are both DNSSEC compatible but .GOV has only deployed DNSSEC in 20% of it's zones. I'm not sure what the percentage is in .ORG - 5% ? less ? is it even 1% of the zones? The make work project continues. Right now, as far as I am concerned, the main obstacle to more widespread adoption on DNSSEC is the lack of procedure to establish trust between your zone and the TLD. Even if my zone is signed, and it's in .org which is signed too, I have no (googlable) way to get my DS included into the TLD zone. Of course dlv.isc.org exsits, but I think it's publicly perceived as a testbed rather than a production anchor. I'd be happy to be wrong. (And, don't tell me to switch back to Verisign registrar.) Eugene signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Stephane Bortzmeyer wrote: Sam Wilson sam.wil...@ed.ac.uk wrote Has anyone found any uz5* servers out there yet? Zero for opendns.com, dnscurve.org, etc. One: dempsky.org. 259200 IN NS uz5p4utwsxu5p3r9xrw0ygddw2hxh7bkhd0vdwtbt92lf058ny1p79.dempsky.org. dempsky.org. 259200 IN NS ns1.everydns.net. dempsky.org. 259200 IN NS ns2.everydns.net. dempsky.org. 259200 IN NS ns3.everydns.net. dempsky.org. 259200 IN NS ns4.everydns.net. From what I know about DNSCurve, an average of one in five lookups for this zone would use encrypted transport. Anyway, bind-users is probably not the right mailing list for this topic, unless a more formal protocol description for DNSCurve appears. There's a similar thread on dnsops, so I suggest everyone interested in DNSCurve subscribe and participate there: https://lists.dns-oarc.net/mailman/listinfo/dns-operations Hauke. signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
* Eugene Crosser: Right now, as far as I am concerned, the main obstacle to more widespread adoption on DNSSEC is the lack of procedure to establish trust between your zone and the TLD. There's no standard procedure for NS and glue management, either, and it still seems to work quite well. 8-) -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
* Sam Wilson: Has anyone found any uz5* servers out there yet? node.pk, dempsky.org has such name servers. I thought there were more. Has the magic prefix changed? -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
In article mailman.633.1267090950.21153.bind-us...@lists.isc.org, Florian Weimer fwei...@bfk.de wrote: * Sam Wilson: Has anyone found any uz5* servers out there yet? node.pk, dempsky.org has such name servers. I thought there were more. Has the magic prefix changed? OK. I found none in 130 MB of cache from 3 servers. Clearly the wave hasn't broken yet. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On Wed, Feb 24, 2010 at 10:23 PM, Alan Clegg acl...@isc.org wrote: Joe Baptista wrote: dnssec-enable yes; and dnssec-validation yes; are the defaults since BIND 9.5 How do I turn it off. Since you edited out the most important part of my post, I'll repeat it here before I answer your question: Sorry - not my intention. It's just that part of the post did not apply to me. My question was not related to an authoritative server but a recursive only server. Serving signed zones requires signed zone data to serve. Validation requires configuration of trust anchors. To turn it off, Don't sign your zones and don't configure trust anchors. Like I said the server is recursive only - no zones served. Or, if you think you might accidentally sign your zones or configure trust anchors, you can: dnssec-enable no; dnssec-validation no; OK - so if I do the above - will that prevent my recursive server from doing DNSSEC if it gets information from a DNSSEC signed zone? Thanks for your help here joe ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On Thu, 25 Feb 2010, Eugene Crosser wrote: Right now, as far as I am concerned, the main obstacle to more widespread adoption on DNSSEC is the lack of procedure to establish trust between your zone and the TLD. Even if my zone is signed, and it's in .org which is signed too, I have no (googlable) way to get my DS included into the TLD zone. Registrars are working on this. It requires them to update EPP etc. I am not sure if .org already accepts DS records via EPP, but I know others (eg opensrs) have started taken steps to implement this in their interface to the users. There are some corner cases that need to be solved, such as what to do when a domain moves from one DNS zone operator to another. Usually private keys cannot be handed over, so this might require multiple DS record support, etc. See further http://dnsseccoalition.org/website/ Of course dlv.isc.org exsits, but I think it's publicly perceived as a testbed rather than a production anchor. It is production, not a testbed. And useful for anyone who wants to put their DS into it. The only thing missing there is easy access to a bulk submission interface. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Or, if you think you might accidentally sign your zones or configure trust anchors, you can: dnssec-enable no; dnssec-validation no; OK - so if I do the above - will that prevent my recursive server from doing DNSSEC if it gets information from a DNSSEC signed zone? Yes, but don't configure any trust anchors gets the job done too. If your configuration doesn't say trusted-keys, managed-keys, or dnssec-lookaside auto; anywhere, then DNSSEC is not in use. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On Tue, Feb 23, 2010 at 07:28:48PM -0800, Michael Sinatra mich...@rancid.berkeley.edu wrote a message of 34 lines which said: While I think the OpenDNS people (especially David U., their founder) have a huge amount of clue, I think they're barking up the wrong tree here. On the other hand, they are crystal-clear: http://blog.opendns.com/2010/02/23/opendns-dnscurve/ It [DNSSEC] also fundamentally hampers services like OpenDNS, which use DNS to provide content filtering and search services. So, DNSSEC is bad because it prevents OpenDNS from lying... (Search services is a code word for legitimate response modification.) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
reply below On Wed, Feb 24, 2010 at 1:06 AM, Evan Hunt e...@isc.org wrote: I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of wackos. So it is unlikely he will ever be bothered to dance the IETF RFC jig. Is there a requirement that Dr. Bernstein must personally do the dancing? Let someone else write the RFC, if it needs writing. Someone else has written the RFC draft - which see http://bit.ly/b5mFkV Looks like Matthew Dempsky and OpenDNS have taken the lead here. While the existence of an RFC isn't an absolute requirement for BIND to implement something, it certainly helps. But what helps a lot more is evidence that the thing in question is getting widespread use, or that there's significant user demand for it. Now there is. OpenDNS support of DNScurve means over 20 billion DNS queries per day. I think thats enough evidence to get cracking and write the code. So far, we're not seeing either of those things with DNSCurve. Were not seeing much of the same with DNSSEC. Thats not the case with DNScurve. Again I stress - over 20 billion requests per day at OpenDNS are DNScurve compatible.The traffic in DNSSEC is chicken feed compared to DNScurve. When we do, I'll be happy to write the code. It's happened - start writing. regards joe baptista ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On Wed, Feb 24, 2010 at 1:13 AM, Michael Sinatra mich...@rancid.berkeley.edu wrote: As someone who both signs his production zones and does DNSSEC validation, I can assure you that DNSSEC works. But you've done as good job as I can imagine in making the case for DNScurve. Done. regards joe baptista ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On 02/24/10 01:25, Jonathan de Boyne Pollard wrote: DNScurve advocates, on the other hand, point out that DNS isn't encrypted. Well, neither is the phone book. So what? So the protocol is vulnerable to both local and remote forgery attacks, just like other unencrypted protocols http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/proxy-server-back-ends.html. For any that don't understand this point, there's a simple thought to prod them in the right direction: Do you remember why SSH and SSL were invented? Do you understand the difference between encryption and authentication? SSH and SSL do both because they protect the payload, which may be sensitive, AND they want to verify that the server you're talking to is really the one you want. DNS only needs authentication. DNSSEC prevents forgery without encrypting the payload. Do you remember, say, the forgery problems with TELNET and HTTP? The bigger problems with TELNET and HTTP were that they could be sniffed on the wire to get confidential information like passwords. Forgery was conveniently solved by cryptography along the way, but confidentiality was in issue with these protocols, unlike with DNS. The /very same problems exist/ for unencrypted UDP/IP protocols such as DNS and NTP. And the solution is the same, too. Yes, cryptographic signatures, not full encryption. Just like NTP with Autokey. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Joe Baptista wrote: Thats not the case with DNScurve. Again I stress - over 20 billion requests per day at OpenDNS are DNScurve compatible.The traffic in DNSSEC is chicken feed compared to DNScurve. Joe, The fact that queries hit servers that are DNScurve capable does not mean that they are taking any advantage of the DNScurve protocol. I'm sure that there are more DO bit queries in the world than DNScurve label queries on any given day -- and not only DO bit queries, but queries that hit servers that are DNSSEC capable. The fact that DNScurve allows OpenDNS to continue modifying responses while proving that their answers are authentic tells me that there is a gaping hole in the DNScurve protocol... Follow the money. OpenDNS has fought against DNSSEC because it prohibits their Intelligent Navigation (Typo correction) and redirection of google... They approve of DNScurve because it can be subverted. ; DiG 9.7.0 @208.67.222.222 www.google.com [...] ;; ANSWER SECTION: www.google.com. 30 IN CNAMEgoogle.navigation.opendns.com. google.navigation.opendns.com. 30 IN A 208.69.32.230 google.navigation.opendns.com. 30 IN A 208.69.32.231 That's not the google I was looking for... I'm in no way saying that BIND won't at some point in the future support DNScurve, I'm just saying that to try to prove the need by pointing to OpenDNS is not the justification that is needed. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On Tue, 23 Feb 2010, Joe Baptista wrote: Lets not forget the IETF has had 15 years to secure the DNS. The result is the DNSSEC abortion. It has failed. It looks pretty lively to me. DNSSEC has multiple interoperable implementations, and it will be deployed in the most important zones this year. DNScurve doesn't even have one publicly available implementation. This announcement today is a stiff well deserved kick in the balls to the DNSSEC crowd. It's a tickle compared to the flood of interest in Comcast's announcement of DNSSEC support. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Thats not the case with DNScurve. Again I stress - over 20 billion requests per day at OpenDNS are DNScurve compatible. The traffic in DNSSEC is chicken feed compared to DNScurve. ORG and GOV and quite a lot of the ccTLD's are DNSSEC compatible, so I don't actually think it'd be much of a horserace if compatibility is all you're looking for. What'll be interesting is how many queries the root and TLD servers start seeing for uz5*/NS. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On Wed, 24 Feb 2010, Tony Finch wrote: On Tue, 23 Feb 2010, Joe Baptista wrote: Lets not forget the IETF has had 15 years to secure the DNS. The result is the DNSSEC abortion. It has failed. It looks pretty lively to me. DNSSEC has multiple interoperable implementations, and it will be deployed in the most important zones this year. DNScurve doesn't even have one publicly available implementation. Nor do dnscurve.* or opendns.* domains even use dnscurve themselves. If the inventors are not even running it, and we have no minimal two independantly written interoperable implementations, it's clearly not meant to be used outside the reseach labs, and telling others (ISC) to do your work seems rather out of place. This has neither concensus or running code or a publicly testable deployment. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On Feb 24 2010, Evan Hunt wrote: Thats not the case with DNScurve. Again I stress - over 20 billion requests per day at OpenDNS are DNScurve compatible. The traffic in DNSSEC is chicken feed compared to DNScurve. ORG and GOV and quite a lot of the ccTLD's are DNSSEC compatible, so I don't actually think it'd be much of a horserace if compatibility is all you're looking for. What'll be interesting is how many queries the root and TLD servers start seeing for uz5*/NS. If OpenDNS really believe that DNScurve is the way of the future, why don't they have such NS records for opendns.com? -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
In article mailman.608.1267031100.21153.bind-us...@lists.isc.org, Chris Thompson c...@cam.ac.uk wrote: On Feb 24 2010, Evan Hunt wrote: Thats not the case with DNScurve. Again I stress - over 20 billion requests per day at OpenDNS are DNScurve compatible. The traffic in DNSSEC is chicken feed compared to DNScurve. ORG and GOV and quite a lot of the ccTLD's are DNSSEC compatible, so I don't actually think it'd be much of a horserace if compatibility is all you're looking for. What'll be interesting is how many queries the root and TLD servers start seeing for uz5*/NS. If OpenDNS really believe that DNScurve is the way of the future, why don't they have such NS records for opendns.com? And what effect will 54-character names for nameservers have when the description recommends against using TCP or UDP with packets longer than 512 bytes (EDNS0, anyone?). Actually the idea of encoding your public key your name, whilst superficially neat, sounds like a killer to me. How will I ever remember which server is which? Has anyone found any uz5* servers out there yet? Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Joe Baptista bapti...@publicroot.org wrote: Someone else has written the RFC draft - which see http://bit.ly/b5mFkV That draft has this text, Expires: February 27, 2010 [3 days from today]. I am not sure what an expiration date means officially on a draft RFC. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: OpenDNS today announced it has adopted DNSCurve to secure DNS
From the BCP79 referenced at top of the draft: d. Internet-Draft: temporary documents used in the IETF and RFC Editor processes. Internet-Drafts are posted on the IETF web site by the IETF Secretariat and have a nominal maximum lifetime in the Secretariat's public directory of 6 months, after which they are removed. Note that Internet-Drafts are archived many places on the Internet, and not all of these places remove expired Internet-Drafts. Internet-Drafts that are under active consideration by the IESG are not removed from the Secretariat's public directory until that consideration is complete. In addition, the author of an Internet-Draft can request that the lifetime in the Secretariat's public directory be extended before the expiration. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of bsfin...@anl.gov Sent: Wednesday, February 24, 2010 3:49 PM To: bind-users@lists.isc.org Subject: Re: OpenDNS today announced it has adopted DNSCurve to secure DNS Joe Baptista bapti...@publicroot.org wrote: Someone else has written the RFC draft - which see http://bit.ly/b5mFkV That draft has this text, Expires: February 27, 2010 [3 days from today]. I am not sure what an expiration date means officially on a draft RFC. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On Wed, Feb 24, 2010 at 11:33 AM, Evan Hunt e...@isc.org wrote: Thats not the case with DNScurve. Again I stress - over 20 billion requests per day at OpenDNS are DNScurve compatible. The traffic in DNSSEC is chicken feed compared to DNScurve. ORG and GOV and quite a lot of the ccTLD's are DNSSEC compatible, so I don't actually think it'd be much of a horserace if compatibility is all you're looking for. I agree they are both DNSSEC compatible but .GOV has only deployed DNSSEC in 20% of it's zones. I'm not sure what the percentage is in .ORG - 5% ? less ? is it even 1% of the zones? The make work project continues. Thats what I like about DNScurve. No make work projects. But I get your point. What'll be interesting is how many queries the root and TLD servers start seeing for uz5*/NS. It's going to be interesting to watch. I guess that depends on if DNSSEC is turned on by default in BIND. Incidentally - is it? regards joe baptista ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Joe Baptista wrote: [] I guess that depends on if DNSSEC is turned on by default in BIND. Incidentally - is it? dnssec-enable yes; and dnssec-validation yes; are the defaults since BIND 9.5 Serving signed zones requires signed zone data to serve. Validation requires configuration of trust anchors. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On Wed, Feb 24, 2010 at 10:08 PM, Alan Clegg acl...@isc.org wrote: dnssec-enable yes; and dnssec-validation yes; are the defaults since BIND 9.5 How do I turn it off. Thanks joe ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Joe Baptista wrote: dnssec-enable yes; and dnssec-validation yes; are the defaults since BIND 9.5 How do I turn it off. Since you edited out the most important part of my post, I'll repeat it here before I answer your question: Serving signed zones requires signed zone data to serve. Validation requires configuration of trust anchors. To turn it off, Don't sign your zones and don't configure trust anchors. Or, if you think you might accidentally sign your zones or configure trust anchors, you can: dnssec-enable no; dnssec-validation no; AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
It's going to be interesting to watch. I guess that depends on if DNSSEC is turned on by default in BIND. Incidentally - is it? That depends on what you mean by turned on. The DNSSEC protocol is enabled, and the DO bit is set in queries, so authoritative servers with signed data will send it. But the DO bit is merely a flag that says if you send me DNSSEC signatures I won't catch fire, it doesn't actually switch on DNSSEC in any meaningful way. DNSSEC validation only becomes active when you've configured a trust anchor, and that is *not* done by default. (There is a built-in trust anchor for dlv.isc.org included with BIND 9.7, but you have to turn on a config option for it to be used, and that will not change. We would like people to trust us, and we wanted to make it as easy as possible to do so, but we don't think we'd be worthy of trust if we made it the default.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On Thu, 25 Feb 2010, Evan Hunt wrote: It's going to be interesting to watch. I guess that depends on if DNSSEC is turned on by default in BIND. Incidentally - is it? That depends on what you mean by turned on. The DNSSEC protocol is enabled, and the DO bit is set in queries, so authoritative servers with signed data will send it. The default in Fedora has been on with many keys and DLV since Fedora-12. That's about 6 months now. (There is a built-in trust anchor for dlv.isc.org included with BIND 9.7, but you have to turn on a config option for it to be used, and that will not change. We would like people to trust us, and we wanted to make it as easy as possible to do so, but we don't think we'd be worthy of trust if we made it the default.) That's correct. But Fedora has tested and used the DLV, and it seems very solid, though we are looking at one bootstrap issue with VPN we have observed, where bind could not fetch the DLV's DNSKEY to validate. But people who are waiting for DNSSEC to get turned on are denialists. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
OpenDNS today announced it has adopted DNSCurve to secure DNS
Now that OpenDNS the largest provider of public DNS supports DNSCurve http://twitter.com/joebaptista/status/9555178362 Would it be possible to include DNScurve support in bind? thanks joe baptista ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On 02/23/10 18:31, Joe Baptista wrote: Now that OpenDNS the largest provider of public DNS supports DNSCurve http://twitter.com/joebaptista/status/9555178362 Would it be possible to include DNScurve support in bind? thanks joe baptista I'd love to see BIND adopt DNScurve...when it becomes an RFC. Until then, I'd prefer that BIND stick to the existing body of RFCs. If DNScurve is important enough for the whole Internet to use, then it's important enough to drag it through the whole IETF process, political as it may or may not be. Personally, I think DNScurve misses the mark. My concern, as someone who operates both authoritative and recursive servers, is that the data on the authority side be authentic end-to-end. With DNSSEC, I can validate that that's true. DNScurve advocates, on the other hand, point out that DNS isn't encrypted. Well, neither is the phone book. So what? I regard DNS as a public database, and it's more important to me that it be authentic--from the source--than obscurified. While I think the OpenDNS people (especially David U., their founder) have a huge amount of clue, I think they're barking up the wrong tree here. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
It would be nice to see it as an RFC. I agree with that. But from what I know it will be a pretty cold day in hell before it becomes an RFC. I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of wackos. So it is unlikely he will ever be bothered to dance the IETF RFC jig. I do disagree with you that bind should only implement what is in the RFC. Lets not forget the IETF has had 15 years to secure the DNS. The result is the DNSSEC abortion. It has failed. This announcement today is a stiff well deserved kick in the balls to the DNSSEC crowd. We can not rely on the IETF for security. Commerce and simple common sense communications are screaming for security solutions today. DNSCurve is perfect and it works out of the box. Folks. OpenDNS has set the DNS standard. We can start securing the DNS with every new dnscurve upgrade to bind. Imagine how much money is being spent on the DNSSEC make work project - time and energy wasted. DNScurve installs - configures and runs. No need for a make work project. agreed? regards joe baptista On Tue, Feb 23, 2010 at 10:28 PM, Michael Sinatra mich...@rancid.berkeley.edu wrote: On 02/23/10 18:31, Joe Baptista wrote: Now that OpenDNS the largest provider of public DNS supports DNSCurve http://twitter.com/joebaptista/status/9555178362 Would it be possible to include DNScurve support in bind? thanks joe baptista I'd love to see BIND adopt DNScurve...when it becomes an RFC. Until then, I'd prefer that BIND stick to the existing body of RFCs. If DNScurve is important enough for the whole Internet to use, then it's important enough to drag it through the whole IETF process, political as it may or may not be. Personally, I think DNScurve misses the mark. My concern, as someone who operates both authoritative and recursive servers, is that the data on the authority side be authentic end-to-end. With DNSSEC, I can validate that that's true. DNScurve advocates, on the other hand, point out that DNS isn't encrypted. Well, neither is the phone book. So what? I regard DNS as a public database, and it's more important to me that it be authentic--from the source--than obscurified. While I think the OpenDNS people (especially David U., their founder) have a huge amount of clue, I think they're barking up the wrong tree here. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of wackos. So it is unlikely he will ever be bothered to dance the IETF RFC jig. Is there a requirement that Dr. Bernstein must personally do the dancing? Let someone else write the RFC, if it needs writing. While the existence of an RFC isn't an absolute requirement for BIND to implement something, it certainly helps. But what helps a lot more is evidence that the thing in question is getting widespread use, or that there's significant user demand for it. So far, we're not seeing either of those things with DNSCurve. When we do, I'll be happy to write the code. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On 02/23/10 19:54, Joe Baptista wrote: It would be nice to see it as an RFC. I agree with that. But from what I know it will be a pretty cold day in hell before it becomes an RFC. I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of wackos. So it is unlikely he will ever be bothered to dance the IETF RFC jig. I do disagree with you that bind should only implement what is in the RFC. Lets not forget the IETF has had 15 years to secure the DNS. The result is the DNSSEC abortion. It has failed. This announcement today is a stiff well deserved kick in the balls to the DNSSEC crowd. We can not rely on the IETF for security. Commerce and simple common sense communications are screaming for security solutions today. DNSCurve is perfect and it works out of the box. Folks. OpenDNS has set the DNS standard. We can start securing the DNS with every new dnscurve upgrade to bind. Imagine how much money is being spent on the DNSSEC make work project - time and energy wasted. DNScurve installs - configures and runs. No need for a make work project. agreed? As someone who both signs his production zones and does DNSSEC validation, I can assure you that DNSSEC works. But you've done as good job as I can imagine in making the case for DNScurve. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
