You do not make problems disappear by declaring them out of scope. Security systems are social systems. If you have not considered the business and social issues you haven't got a system.
Security is about people, not protocols. On Wed, Feb 24, 2010 at 2:30 PM, Shane Kerr <sh...@isc.org> wrote: > Phillip, > > On Wed, 2010-02-24 at 10:00 -0500, Phillip Hallam-Baker wrote: >> I took a look at DNSCurve. Some points: >> >> * It could certainly win. >> * It is designed as a hack rather than an extension. >> * It considers real world requirements that DNSSEC does not. >> >> On the 'winning' front. Have people noticed that the IETF has only >> ever succeeded in developing security standards by appropriating >> systems that had already defeated the IETF generated solution? PGP was >> not developed in house, it was a reaction to PEM. SSL was developed by >> Netscape. X.509 came from OSI. > > DNSCurve and DNSSEC are orthogonal, and solve different - if related - > problems. > > DNSSEC declares out of scope: > > * the channel where DS records get added to the parent > * encryption (which I think DNSCurve provides) > > DNSCurve declares out of scope: > > * the channel where the magic NS records get added to the parent > * the channel where records get sent from the parent to the name > servers in the RRSET > * master or slave name server compromises > * off-line secret key handling > > Depending on what you consider important, either technology may or may > not be what you want. You could, in principle, use both, and it actually > would provide different types of security. > > -- > Shane > > -- -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/ _______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
