[Cryptography] Preliminary review of the other Applied Cryptography

Donald Eastlake d3e3e3 at gmail.com
Thu Apr 10 11:26:49 EDT 2014


On Wed, Apr 9, 2014 at 3:46 PM,  <tpb-crypto at laposte.net> wrote:
>> ...
>
> Most of us can relate with that, the "SEC" in DNSSEC is kind of misleading to put it mildly. Of "SEC", DNSSEC has nothing. People were expecting some form of encryption to the standard when it was first announced

That's a load of crap.

I've got nothing against adding encryption to DNS. Requirements and
protocols evolve. It is probably a good idea given the current state
of the Internet. But from the very first draft

http://tools.ietf.org/html/draft-ietf-dnssec-secext-00

DNSSEC made the kinds of services it was going to provide explicit and
these never included encryption:
 - Data Origin Authentication
 - DNS Transaction Authentication
 - Key Distribution

(DNSSEC evolved quite a bit from that -00 draft even before the first RFC 2065.)

At the time, it was just taken as a given that all information in the
DNS was public. There was no demand for encryption. That "People were
expecting some form of encryption" is demonstrably false.

Peter Gutmann may hate DNSSEC but he does say:
"although in all fairness its origins can be traced all the way back
to a mid-1980s US Department of Defence mandate to secure DNS data on
the ARPA internet followed by some work done by a defence contractor
in the early 1990s in response to a DNS security scare in 1990, when
the Internet environment was very different from what it is today"

Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3 at gmail.com


More information about the cryptography mailing list