On Thu, Aug 6, 2009 at 6:06 AM, Alexander Harrowell
wrote:
> 1) Authenticate the nameserver to the client (and so on up the chain to the
> root) in order to defeat the Kaminsky attack, man in the middle, IP-layer
> interference. (Are you who you say you are?)
DNSSEC fans will be quick to point o
On 8/5/09 7:05 PM, Naveen Nathan wrote:
On Wed, Aug 05, 2009 at 09:17:01PM -0400, John R. Levine wrote:
...
It seems to me that the situation is no worse than DNSSEC, since in both
cases the software at each hop needs to be aware of the security stuff, or
you fall back to plain unsigned DNS.
On Wed, 5 Aug 2009, Naveen Nathan wrote:
>
> I might misunderstand how dnscurve works, but it appears that dnscurve
> is far easier to deploy and get running.
Not really. There are multiple competing mature implementations of DNSSEC
and you won't be in a network of 1 if you deploy it.
Tony.
--
f
There are really two security problems here, which implies that two different
methods might be necessary:
1) Authenticate the nameserver to the client (and so on up the chain to the
root) in order to defeat the Kaminsky attack, man in the middle, IP-layer
interference. (Are you who you say you
* Naveen Nathan:
> I'll assume the cipher used for the lasting secret keys is interchangeable.
Last time I checked, even the current cryptographic algorithms weren't
specified. It's unlikely that there is an upgrade path (other than
stuffing yet another magic label into your name server names).
Ben,
Thanks for the cogent comparison between the two security systems
for DNS.
> DNSCurve requires more CPU power on nameservers (for the more
> extensive crypto); DNSSEC requires more memory (for the additional
> DNSSEC payload).
This is only true for the initial (Elliptic Curve) Diffie-Hell
On Wed, Aug 5, 2009 at 10:05 PM, Naveen Nathan wrote:
> I might misunderstand how dnscurve works, but it appears that dnscurve
> is far easier to deploy and get running.
My understanding:
They really do different things. They also have different behaviors.
DNSCurve aims to secure the tran
ng time as far as I can
tell.
- S
-Original Message-
From: Naveen Nathan [mailto:nav...@calpop.com]
Sent: Wednesday, August 05, 2009 7:05 PM
To: John R. Levine
Cc: nanog@nanog.org
Subject: Re: dnscurve and DNS hardening, was Re: Dan Kaminsky
On Wed, Aug 05, 2009 at 09:17:01PM -0400, John
On Wed, Aug 05, 2009 at 09:17:01PM -0400, John R. Levine wrote:
> ...
>
> It seems to me that the situation is no worse than DNSSEC, since in both
> cases the software at each hop needs to be aware of the security stuff, or
> you fall back to plain unsigned DNS.
I might misunderstand how dnscurv
In message , "John R. Levine"
writes:
> >>> http://dnscurve.org/crypto.html, which is always brought up, but
> >>> never seems to solve the problems mentioned.
>
> > As I understand it, dnscurve protects transmissions, not objects.
> > That's not the way DNS operates today, what with N levels of
http://dnscurve.org/crypto.html, which is always brought up, but
never seems to solve the problems mentioned.
As I understand it, dnscurve protects transmissions, not objects.
That's not the way DNS operates today, what with N levels of cache. It
may or may not be better, but it's a much bigge
11 matches
Mail list logo
