[Cryptography] Opening Discussion: Speculation on "BULLRUN"
Paul Wouters
paul at cypherpunks.ca
Sat Sep 7 15:21:02 EDT 2013
On Sat, 7 Sep 2013, Gregory Perry wrote:
> Insecure DNS deployments are probably in the top five attack vectors
> for remotely compromising internal network topologies, even those
> sporting split DNS configurations. As you were "...deeply involved in the
> IETF's DNSEXT working group" then I presume you know this.
> Correct me if I am wrong, but in my humble opinion the original intent
> of the DNSSEC framework was to provide for cryptographic authenticity
> of the Domain Name Service, not for confidentiality (although that
> would have been a bonus).
Yes that was the original intent, but I remember the reason for optin
was that it was impossible to realisticly fit the .com zone in the RAM
of modern servers at the time. Also signing would have taken much longer
to generate all the NSEC(3) records.
In general, the TLDs preferred a phased-in deployment where they could
exchange hardware over time. That is what optin offered, at the expense
of making spoofing just a tiny bit harder instead of much harder for
non-DNSSEC domains. Seems like a normal economical based decision to me.
These days, I don't think anyone should still run with opt-in anymore.
> There are many different camps within the DoD.
About as many as we have cryptography and cypherpunks mailing lists :P
Paul
More information about the cryptography
mailing list