[Cryptography] Doing DNS properly Re: Apple's iCloud+ "VPN"
Bill Woodcock
woody at pch.net
Wed Jun 30 07:31:08 EDT 2021
> On Jun 30, 2021, at 5:34 AM, Donald Eastlake <d3e3e3 at gmail.com> wrote:
>> TSIG is fine but doesn't work as an authentication scheme because
>> there is no key agreement mechanism.
TSIG works very well for me, some 200,000,000 times per day. It has successfully protected each and every one of our *XFRs without fail for twenty years. Accounting for growth over time, that’s somewhere on the order of a trillion successes, with no failures, and we’re just one organization among millions that have benefitted from TSIG.
>> We could have easily done it right but ...
…then the perfect would have been the enemy of the good, and we’d have had twenty years without protection, and countless more compromises in the mean-time. It’s easy to imagine other solutions, but TSIG is a good tool for the actual problem that needed to be solved. It has the right amount of human interaction at set-up time, and its simplicity makes it relatively robust against subsequent failure.
-Bill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210630/d8129040/attachment.sig>
More information about the cryptography
mailing list