[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DNSOP] I think we may have a solution - DNSCurve

To: "Joe Baptista" <baptista at publicroot.org>
Subject: Re: [DNSOP] I think we may have a solution - DNSCurve
From: "Ondřej Surý" <ondrej.sury at nic.cz>
Date: Sun, 31 Aug 2008 21:50:51 +0200
Cc: "dnsop at ietf.org" <dnsop at ietf.org>
Delivered-to: ietfarch-dnsop-web-archive at core3.amsl.com
Delivered-to: dnsop at core3.amsl.com
In-reply-to: <874c02a20808311220r4fa4836fw1882de5b341f841f at mail.gmail.com>
List-archive: <http://www.ietf.org/pipermail/dnsop>
List-help: <mailto:dnsop-request@ietf.org?subject=help>
List-id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-post: <mailto:dnsop@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
References: <874c02a20808311220r4fa4836fw1882de5b341f841f at mail.gmail.com>
Sender: dnsop-bounces at ietf.org

2008/8/31 Joe Baptista <baptista at publicroot.org>:
> http://dnscurve.org/
>
> comments?

I already made comments on namedroppers, so I will summarize it here:

1. no trust anchors in design, signatures seems to be loosely connected.
   Djb added page for TLD operators today, where he proposes signing .com
   and ISPs to keep local copies of root zone.  But still DNSCurve doesn't
   protect you when your parent is not using DNSCurve (or DNSSEC), but you
   can get false sense of security (just read those pages).  Unfortunatelly
   DNSCurve key is received by PODS - thus it's not protected

2. In it's ideal state it would change DNS to DNS over DNS-TXT.  It would
   be nearly impossible to debug anything at all.  And personally I don't
   like this type of encapsulation (it reminds me IP over DNS ;)).

3. Requirements on aDNS server computation power is raised.  Now not only
   recursor, but also authoritative nameserver does crypto.  Elliptic
   curve crypto may have less requirements on cpu cycles, but still it
   adds more burden on authoritative nameservers.  Djb also proposes
   to change .com nameservers so they are grouped together.

4. I am not sure if labels like
uz51gmc1jjicekrm676rorncvjpale915vhd94bj2fddj1be1ntbg5.root-servers.net
   make things more simpler.

Ondrej.
-- 
 Ondřej Surý
 technický ředitel/Chief Technical Officer
 -----------------------------------------
 CZ.NIC, z.s.p.o. -- .cz domain registry
 Americká 23,120 00 Praha 2,Czech Republic
 mailto:ondrej.sury at nic.cz http://nic.cz/
 sip:ondrej.sury at nic.cz tel:+420.222745110
 mob:+420.739013699 fax:+420.222745112
 -----------------------------------------
_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Follow-Ups:
- Re: [DNSOP] I think we may have a solution - DNSCurve
  - From: David Conrad

References:
- [DNSOP] I think we may have a solution - DNSCurve
  - From: Joe Baptista

Prev by Date: [DNSOP] I think we may have a solution - DNSCurve
Next by Date: Re: [DNSOP] I think we may have a solution - DNSCurve
Previous by thread: [DNSOP] I think we may have a solution - DNSCurve
Next by thread: Re: [DNSOP] I think we may have a solution - DNSCurve
Index(es):
- Date
- Thread