OpenDNS today announced it has adopted DNSCurve to secure DNS

Michael Sinatra michael at rancid.berkeley.edu
Wed Feb 24 15:04:06 UTC 2010


On 02/24/10 01:25, Jonathan de Boyne Pollard wrote:
>>
>>
>> DNScurve advocates, on the other hand, point out that DNS isn't
>> encrypted. Well, neither is the phone book. So what?
>>
> So the protocol is vulnerable to both local and remote forgery attacks,
> just like other unencrypted protocols
> <http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/proxy-server-back-ends.html>.
> For any that don't understand this point, there's a simple thought to
> prod them in the right direction: Do you remember why SSH and SSL were
> invented?

Do you understand the difference between encryption and authentication? 
  SSH and SSL do both because they protect the payload, which may be 
sensitive, AND they want to verify that the server you're talking to is 
really the one you want.  DNS only needs authentication.  DNSSEC 
prevents forgery without encrypting the payload.

> Do you remember, say, the forgery problems with TELNET and
> HTTP?

The bigger problems with TELNET and HTTP were that they could be sniffed 
on the wire to get confidential information like passwords.  Forgery was 
conveniently solved by cryptography along the way, but confidentiality 
was in issue with these protocols, unlike with DNS.

> The /very same problems exist/ for unencrypted UDP/IP protocols
> such as DNS and NTP. And the solution is the same, too.

Yes, cryptographic signatures, not full encryption.  Just like NTP with 
Autokey.

michael



More information about the bind-users mailing list