On Mar 1, 2010, at 8:34 AM, Joe Baptista wrote: > Please remember the Kaminsky dns bug did not identify a security problem with the DNS but the UDP transport. The problem Dan Kaminsky exploited is a known weakness in the DNS protocol, specifically that a 16-bit identifier space is too small. > DNScurve fixes the problem today without having to spend 15 more years getting it right. Not really. Ignoring for the moment that there is a limited amount of deployed software that supports DNScurve, DNScurve addresses the DNS protocol problem by protecting the channel of communication. It doesn't actually protect DNS data. > And it does not cost a fortune to implement. How much did it cost you to implement DNScurve? DId you make your code open source or otherwise available? > And DNSSEC does not solve the UDP issue. Actually, DNSSEC does address the DNS protocol issue by ensuring any modification to DNS data can be identified. In the DNSSEC world, it no longer matters how you get the DNS data or what channel the data comes over or how secure that channel is. The same is not true of DNScurve. > And that is the problem DNScurve fixes NOW. DNSSEC is already deployed in 12 top-level domains and the root is in the process of being signed. Multiple interoperable implementations of DNSSEC exist in production software. > Together let's exercise some common sense and support draft-dempsky-dnscurve-01. As has been pointed out on several occasions, DNSSEC and DNScurve are not mutually exclusive. Of course, if you implement DNSSEC, the protections provided by DNScurve are superfluous (and the opposite isn't true), but that doesn't stop anyone from deploying both. Regards, -drc _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf