lists.isc.org rDNS failed, DNSSEC?
Mark Andrews
marka at isc.org
Wed Feb 29 00:53:53 UTC 2012
In message <CB725C9F.24EC1%michoski at cisco.com>, michoski writes:
> > Doing DNSSEC verification in 2012 is lopsided the other way. You
> > cannot resolve the names you need sometimes. You're probably not
> > receiving any actual protection from spoofing.
>
> I feel similarly. I do see risk in the non DNSSEC world (thanks to Kaminsky
> and others), but not so common or devastating to justify the cost and
> associated risks of deployment today. I think the right tools (inline
> signing!) will reduce TCO and generally make more folks jump onboard.
DNSSEC is also a enabling technology. SSH already takes advantage of it.
The DANE working group of the IETF is defining how to authenticate CERTs
using the DNS associated with a DNS name which is a much more natural way
of doing this than using a CA.
With DNSSEC it is possible to cryptographically secure SMTP and be able to
detect m-i-m attacks. DNSSEC protects the MX records (explict or implict).
This lets you securely know which machine you are supposed to be connecting
to, by name, and hence which CERTs are valid with STARTTLS given that name.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list