Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The same could be said of PGP when it was first launched.

There was only one version of PGP against multiple PEM
implementations. Phil Z. made clear he didn't give a wetslap about the
patents.And I have been asking ICANN for months how I get a key for my
DNS zones into the system and have never got a reply.

Signing the .com zone is irrelevant until we have a process for
putting the key in. Several people are aware that I am asking this
question and will be speaking on DNSSEC at RSA next week. The fact
that the answer has been invariably 'I will get back to you on that'
and not 'here is the document you need to read' is itself rather
significant.


Note however, that I said that DNScurve could win, not that it would.
The IETF response to Phil Z. was to tell him to get lost and not
bother them. As a result PEM did not address the issues that Phil Z.
raised, and Phil went off and wrote his own code. The PEM group could
have taken Phil seriously instead, taken note of the objections and
actually answered them.

As a result we ended up with two systems, neither of which could have
been as good as if the PEM folk had been willing to be more open.


There is another approach to DNSSEC that could get us to market in a
fraction of the time that current systems would, or DNScurve for that
matter.

Instead of positioning DNSSEC as an alternative to SSL certificates,
co-opt the legacy base and more importantly the legacy infrastructure
of domain validated certificate providers. There is a base of a
million already issued certs out there. DNSSEC is way outside the
comfort zone of most registrars, it is something that the SSL
providers can easily support.

Al that has been written or deployed so far is publication
infrastructure. Nobody can deploy or test standards based validation
infrastructure until the root is signed and a lot more happens
besides.


If DNSSEC is successful it will inevitably erode and eventually
eliminate domain validated SSL certs. Which would provide a pretty big
business incentive for the incumbents to oppose. If instead we make a
minor adjustment of approach we could create a very major incentive
for most of the SSL certificate issuers to back DNSSEC.


On Wed, Feb 24, 2010 at 1:04 PM, Tony Finch <dot@xxxxxxxx> wrote:
> On Wed, 24 Feb 2010, Phillip Hallam-Baker wrote:
>
>> I took a look at DNSCurve. Some points:
>>
>> * It could certainly win.
>
> It has a LOT of catching up to do. DNScurve has no publicly available
> implementations. DNSSEC will be deployed in the most important zones by
> the end of this year.
>
>> * It considers real world requirements that DNSSEC does not.
>
> DNScurve ignores algorithm agility and patent problems.
>
> Tony.
> --
> f.anthony.n.finch  <dot@xxxxxxxx>  http://dotat.at/
> GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
> MODERATE OR GOOD.
>



-- 
-- 
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]