OpenDNS today announced it has adopted DNSCurve to secure DNS
Danny Mayer
mayer at gis.net
Sun Mar 7 18:46:48 UTC 2010
Michael Sinatra wrote:
> On 02/24/10 01:25, Jonathan de Boyne Pollard wrote:
>>>
>>>
>>> DNScurve advocates, on the other hand, point out that DNS isn't
>>> encrypted. Well, neither is the phone book. So what?
>>>
>> So the protocol is vulnerable to both local and remote forgery attacks,
>> just like other unencrypted protocols
>> <http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/proxy-server-back-ends.html>.
>>
>> For any that don't understand this point, there's a simple thought to
>> prod them in the right direction: Do you remember why SSH and SSL were
>> invented?
>
> Do you understand the difference between encryption and authentication?
> SSH and SSL do both because they protect the payload, which may be
> sensitive, AND they want to verify that the server you're talking to is
> really the one you want. DNS only needs authentication. DNSSEC
> prevents forgery without encrypting the payload.
>
>> Do you remember, say, the forgery problems with TELNET and
>> HTTP?
>
> The bigger problems with TELNET and HTTP were that they could be sniffed
> on the wire to get confidential information like passwords. Forgery was
> conveniently solved by cryptography along the way, but confidentiality
> was in issue with these protocols, unlike with DNS.
>
>> The /very same problems exist/ for unencrypted UDP/IP protocols
>> such as DNS and NTP. And the solution is the same, too.
>
> Yes, cryptographic signatures, not full encryption. Just like NTP with
> Autokey.
Autokey is not a cryptographic signature protocol. It *is* a
authentication protocol for the server only and there are a number of
exchanges that need to be done to complete the authentication of the
server. You cannot compare this with DNSSEC and nothing in NTP is encrypted.
Danny
More information about the bind-users
mailing list