Michael Sinatra wrote: > On 02/24/10 01:25, Jonathan de Boyne Pollard wrote: >>> >>> >>> DNScurve advocates, on the other hand, point out that DNS isn't >>> encrypted. Well, neither is the phone book. So what? >>> >> So the protocol is vulnerable to both local and remote forgery attacks, >> just like other unencrypted protocols >> <http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/proxy-server-back-ends.html>. >> >> For any that don't understand this point, there's a simple thought to >> prod them in the right direction: Do you remember why SSH and SSL were >> invented? > > Do you understand the difference between encryption and authentication? > SSH and SSL do both because they protect the payload, which may be > sensitive, AND they want to verify that the server you're talking to is > really the one you want. DNS only needs authentication. DNSSEC > prevents forgery without encrypting the payload. > >> Do you remember, say, the forgery problems with TELNET and >> HTTP? > > The bigger problems with TELNET and HTTP were that they could be sniffed > on the wire to get confidential information like passwords. Forgery was > conveniently solved by cryptography along the way, but confidentiality > was in issue with these protocols, unlike with DNS. > >> The /very same problems exist/ for unencrypted UDP/IP protocols >> such as DNS and NTP. And the solution is the same, too. > > Yes, cryptographic signatures, not full encryption. Just like NTP with > Autokey.
Autokey is not a cryptographic signature protocol. It *is* a authentication protocol for the server only and there are a number of exchanges that need to be done to complete the authentication of the server. You cannot compare this with DNSSEC and nothing in NTP is encrypted. Danny _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users