Phillip,
On Wed, 2010-02-24 at 10:00 -0500, Phillip Hallam-Baker wrote:
> I took a look at DNSCurve. Some points:
>
> * It could certainly win.
> * It is designed as a hack rather than an extension.
> * It considers real world requirements that DNSSEC does not.
>
> On the 'winning' front. Have people noticed that the IETF has only
> ever succeeded in developing security standards by appropriating
> systems that had already defeated the IETF generated solution? PGP was
> not developed in house, it was a reaction to PEM. SSL was developed by
> Netscape. X.509 came from OSI.
DNSCurve and DNSSEC are orthogonal, and solve different - if related -
problems.
DNSSEC declares out of scope:
* the channel where DS records get added to the parent
* encryption (which I think DNSCurve provides)
DNSCurve declares out of scope:
* the channel where the magic NS records get added to the parent
* the channel where records get sent from the parent to the name
servers in the RRSET
* master or slave name server compromises
* off-line secret key handling
Depending on what you consider important, either technology may or may
not be what you want. You could, in principle, use both, and it actually
would provide different types of security.
--
Shane
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf