On Sun, 8 Sep 2013, Daniel Cegiełka wrote:
Subject: Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
http://www.youtube.com/watch?v=K8EGA834Nok Is DNSSEC is really the right solution?
That is the most unprofessional talk I've seen djb give. He bluffed a bunch of fanboys with no knowledge of DNSSEC that it was bad. His claims about caching, amplification, etc were completely wrong, as Kaminsky and I spend pointing out in the days after that CCC talk. http://dankaminsky.com/2011/01/05/djb-ccc/ http://dankaminsky.com/2011/01/07/cachewars/ He seems to mostly egage in DNSSEC bashing to advertise his curve25519, dnscurve and his "curve25519 the entire internet" ideas. The easiest number to debunk was the DNS cache hit rate. The day after his talk I collected statistics from the CCC event itself, A large Dutch ISP and one of the largest American ISPs, and the numbers were above 80% at minimum and close to 99% for the dns cache at the CCC itself. His suggestion to pollute port 53 with non-DNS traffic, and to kill DNS data authentication and replace it with transport-only security have always been rejected by the community at large as insane. His proposal to DDOS all DNS servers by making them perform crypto isn't very realistic for deployments either. DNSSEC is the result of a lot of fundamental design goals such as "100% backwards compatibility", data authenticity, offline crypto signing, crypto agility, not bypassing the cache infrastructure, etc etc. Do I trust curve25519 more then the NIST curves? Yes I do. Do I think djb should design internet protocols. No. DNSSEC is a very secure and reasonable compromise for all the requirements various parties had to secure the DNS. If you believe that is not the case, please speak out with verifiable technical arguments, and not with video hype. And I'll gladly take the time to explain things. Paul _______________________________________________ The cryptography mailing list [email protected] http://www.metzdowd.com/mailman/listinfo/cryptography
