On 01/23/2011 02:06 PM, Kevin Chadwick wrote:
On Sat, 15 Jan 2011 06:28:51 -0500
Josh Smith<juice...@gmail.com> wrote:
<tounge in cheek flame>
I've got to say I'm suprised the dns server in the base system of the
worlds most secure OS is not able to validate dnssec responses
</tounge in cheek flame>
Actually there is much debate about how much security dnssec adds,
atleast currently. OpenSSL even, has had it's bugs. It is clear however
that it makes Denial Of Service attacks much easier. The tcp resolv.conf
option (quite possibly unique to OpenBSD) can already add much security
to your resolving too. I imagine DNSSEC has very little to do with the
unbound import.
I am certainly not saying don't use DNSSEC but you need to bear in mind
the consequences. DNSSEC was known to need revising when it was rolled
out, but I believe was implemented to give it many kicks in the
direction of getting it right as throwing millions of dollars at it,
wasn't ironing much out.
Any axe murderer's out there? ;-)
Debate indeed; it potentially creates new problems. See here
(http://dnscurve.org/nsec3walker.html) and here
(http://dnscurve.org/amplification.html) for examples. It's Dan
Bernstein's writing, so it's definitely an alternate viewpoint :) But
what he says is interesting on paper, though his scheme could end up the
Betamax to DNSSEC's VHS.
Corey
