OpenDNS today announced it has adopted DNSCurve to secure DNS
Michael Sinatra
michael at rancid.berkeley.edu
Wed Feb 24 15:04:06 UTC 2010
On 02/24/10 01:25, Jonathan de Boyne Pollard wrote:
>>
>>
>> DNScurve advocates, on the other hand, point out that DNS isn't
>> encrypted. Well, neither is the phone book. So what?
>>
> So the protocol is vulnerable to both local and remote forgery attacks,
> just like other unencrypted protocols
> <http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/proxy-server-back-ends.html>.
> For any that don't understand this point, there's a simple thought to
> prod them in the right direction: Do you remember why SSH and SSL were
> invented?
Do you understand the difference between encryption and authentication?
SSH and SSL do both because they protect the payload, which may be
sensitive, AND they want to verify that the server you're talking to is
really the one you want. DNS only needs authentication. DNSSEC
prevents forgery without encrypting the payload.
> Do you remember, say, the forgery problems with TELNET and
> HTTP?
The bigger problems with TELNET and HTTP were that they could be sniffed
on the wire to get confidential information like passwords. Forgery was
conveniently solved by cryptography along the way, but confidentiality
was in issue with these protocols, unlike with DNS.
> The /very same problems exist/ for unencrypted UDP/IP protocols
> such as DNS and NTP. And the solution is the same, too.
Yes, cryptographic signatures, not full encryption. Just like NTP with
Autokey.
michael
More information about the bind-users
mailing list