On Thu, Feb 25, 2010 at 8:30 AM, Martin Rex <mrex@xxxxxxx> wrote: > Phillip Hallam-Baker wrote: >> >> I took a look at DNSCurve. Some points: >> >> * It could certainly win. >> * It is designed as a hack rather than an extension. >> * It considers real world requirements that DNSSEC does not. > > What does DNSCurve additionally provide > compared to a combination of traditional DNS with IPsec? They appear to have an interest in actually listening to real world requirements. The DNSSEC folk just tell us that every hard problem is 'out of scope'. If an issue is out of scope for the IETF and out of scope for ICANN, then who is going to address it? You cannot solve a problem by ruling it out of scope. Of course a combination of DNS and IPSec would be a better solution. But nobody has specified how to do it. DNS is a bootstrap protocol, you have to specify how the initial key exchange is achieved. Full IPSec assumes that each side maintains state per connection. That is a bad choice for DNS. You would want to adapt IPSec to use a Kerberos ticket like approach so that only the DNS client needs to maintain state. It is not that difficult for Vint Cerf and Steve Crocker to get Microsoft to put checkbox support for DNSSEC protocol into their product. Getting a feature added to a Linux distribution is even easier. But there is a huge difference between doing that and getting a commitment to support it. Defining the protocols is the easy part of PKI. The hard part is specifying the social interface that gives the PKI specific meaning. At the moment this is being left to DNS registrars, most of which have no idea what a CPS or a CP is and have no interest in finding out. -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf