Exponent 3 damage spreads...

Ben Laurie ben at algroup.co.uk
Mon Sep 11 04:03:07 EDT 2006 

James A. Donald wrote:
>     --
> James A. Donald wrote:
>> > What is the penetration of Secure DNS?
> 
> Ben Laurie wrote:
>> Anyone who is running any vaguely recent version of
>> BIND is DNSSEC enabled, whether they are using it now
>> or not.
> 
> I am not well informed about DNSSEC, but I am under the
> impression that:
> 
> 1.  Actually using DNSSEC is a major performance hit.

No more than using SSL. Well, not much more :-)

> 2.  Actually using DNSSEC requires manual secure master
> public key distribution, which  people are disinclined
> to do, and which may not scale very well, unless
> unspecified institutions and arrangements are put in
> place.

Key distribution is, indeed, an open question. Certainly manual key
distribution is not a solution.

> 3.  No one actually uses DNSSEC in the wild.

I don't know whether this is true or not. Finding out what people do and
don't do with DNS is hard.

> Please advice me if these impressions are wrong, or have
> become outdated.
> 
> I realize that I sound like a cold wet sponge with a non
> stop stream of unpleasantly negative posts, but one of
> the reasons that cryptography is not widely used is that
> the various standards, processes, and tools are not in
> fact very usable.

Doesn't bother me any, its just that I happen to have done work on
DNSSEC, so I figured I should alert those who care to the problem.

> Implementing protocols requires widespread consensus,
> but when too many people show at a meeting then either
> nothing gets done, or the outcome is extremely stupid,
> or both, and anyone who points to big problems in what
> is being done is dismissed as out of order or off topic
> in order to create the semblance of progress, with the
> result that what little progress occurs is usually in
> the wrong direction.

That seems a rather harsh judgement of a working group you say you're
not informed about.

Not that I totally disagree: the work I did on DNSSEC was initially
dismissed as out of order and off topic, and it took a lot of effort to
get people to accept that the problem was genuine. :-)

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list