[Cryptography] "Is DNSSEC is really the right solution?" [djb video]

[Paul Wouters]

On Sun, 8 Sep 2013, Daniel Cegiełka wrote:

> Subject: Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

> http://www.youtube.com/watch?v=K8EGA834Nok
>
> Is DNSSEC is really the right solution?

That is the most unprofessional talk I've seen djb give. He bluffed a
bunch of fanboys with no knowledge of DNSSEC that it was bad. His claims
about caching, amplification, etc were completely wrong, as Kaminsky and I
spend pointing out in the days after that CCC talk.

http://dankaminsky.com/2011/01/05/djb-ccc/
http://dankaminsky.com/2011/01/07/cachewars/

He seems to mostly egage in DNSSEC bashing to advertise his curve25519,
dnscurve and his "curve25519 the entire internet" ideas.

The easiest number to debunk was the DNS cache hit rate. The day after
his talk I collected statistics from the CCC event itself, A large Dutch
ISP and one of the largest American ISPs, and the numbers were above 80%
at minimum and close to 99% for the dns cache at the CCC itself.

His suggestion to pollute port 53 with non-DNS traffic, and to kill DNS
data authentication and replace it with transport-only security have
always been rejected by the community at large as insane. His proposal
to DDOS all DNS servers by making them perform crypto isn't very
realistic for deployments either.

DNSSEC is the result of a lot of fundamental design goals such as "100%
backwards compatibility", data authenticity, offline crypto signing,
crypto agility, not bypassing the cache infrastructure, etc etc.

Do I trust curve25519 more then the NIST curves? Yes I do. Do I think
djb should design internet protocols. No.

DNSSEC is a very secure and reasonable compromise for all the
requirements various parties had to secure the DNS. If you believe that
is not the case, please speak out with verifiable technical arguments,
and not with video hype. And I'll gladly take the time to explain
things.

Paul