NNSquad - Network Neutrality Squad
[ NNSquad ] Re: FW: [ga] the future .. DNS National Security and the ICANN clowns
On Apr 12, 2010, at 6:29 PM, Lauren Weinstein wrote:
> Comments either way, anyone?
I'm actually interested in a fair and balanced view of the two protocols. I've heard arguments from both sides.
According to the DNSSEC crowd, DNSSEC secures everything, ensuring that updates to DNS cannot occur without proper crypto credentials. Of course, there's significant processor overhead required due to the need to verify signatures for each DNS query. Plus, they're using certificate-based security which means I need to buy a cert for each of my domains. This could be cost-prohibitive for the little guys.
According to the DNSCurve crowd, they're using elliptical cryptography which allows low-cpu, very fast security checks. They're also using standard public-key cryptography, so there's no need to purchase certs. They also claim that everything is protected, moreso than DNSSEC, which they claim still has significant holes.
Unfortunately, I have yet to see a balanced view of the two with proper arguments from both sides. From what I've observed, having both implemented djbdns and bind, I would lean more towards the djb side which seems to be lighter, sleeker, and more secure.
I have also observed that DNSSEC has been mired in politics, design by committee (which even Paul Vixie himself will admit to), and numerous issues throughout its existence. These, in my opinion, weigh heavily against its use. But, it appears that Vixie and Co. seem to have the ear of some very powerful people and have been able to convince the giants to move towards DNSSEC.
I'm honestly at a loss as to which direction to move. As I run djb currently, DNSSEC is not possible without a complete infrastructure change. On the other hand, DNSCurve implementations are in their infancy. What's an engineer to do!
> --Lauren--
> NNSquad Moderator
>
[ I must admit that all else being equal, I have no interest
whatsoever in feeding more money into the paid certificate
revenue stream in situations where reasonable and effective
open and free alternatives exist.
-- Lauren Weinstein
NNSquad Moderator ]
>
> -----Original Message-----
> From: Joe Baptista <BAPTISTA@PUBLICROOT.ORG>
> Sent: Apr 11, 2010 8:07 AM
> To: "ga@gnso.icann.org >> GA" <GA@GNSO.ICANN.ORG>
> Subject: [ga] the future .. DNS National Security and the ICANN clowns
>
> The DNS is fracturing. It's been hijacked. Root server "I" in Beijing
> looks like it's still offline as ICANN remains silent on a national
> security issue - or should we call it a scandal? Washington is a buzz in
> DNS these days - no one knows whats going on and Beckstrom is busy
> answering questions.
>
> When the Peoples Republic of China accidentally or intentionally hijacks
> the State of California expect some attention.
>
> We need a better solution then ICANN. The world has become a very
> insecure place overnight. Now that this attack vector is known expect it
> to be exploited. DNSSEC will not save the day. It will simply provide
> another path to exploit.
>
> DNScurve would have prevented this from happening. But the protocol that
> will be shoved in our face will be the DNSSEC make work project.
> DNScurve and DNSSEC can live together on the same box. Both will provide
> their own version of security. But as soon as DNScurve is adopted -
> expect DNSSEC to die a quick death.
>
> regards
> joe baptista
> ----------------------------------------------------------------
---------------------------
Jason 'XenoPhage' Frisvold
xenophage0@gmail.com
---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law