[Cryptography] Doing DNS properly Re: Apple's iCloud+ "VPN"

[Phillip Hallam-Baker]

On Wed, Jun 30, 2021 at 5:13 PM Bill Woodcock <woody at pch.net> wrote:

>
>
> > On Jun 30, 2021, at 5:34 AM, Donald Eastlake <d3e3e3 at gmail.com> wrote:
> >> TSIG is fine but doesn't work as an authentication scheme because
> >> there is no key agreement mechanism.
>
> TSIG works very well for me, some 200,000,000 times per day.  It has
> successfully protected each and every one of our *XFRs without fail for
> twenty years.  Accounting for growth over time, that’s somewhere on the
> order of a trillion successes, with no failures, and we’re just one
> organization among millions that have benefitted from TSIG.
>
> >> We could have easily done it right but ...
>
> …then the perfect would have been the enemy of the good, and we’d have had
> twenty years without protection, and countless more compromises in the
> mean-time.  It’s easy to imagine other solutions, but TSIG is a good tool
> for the actual problem that needed to be solved.  It has the right amount
> of human interaction at set-up time, and its simplicity makes it relatively
> robust against subsequent failure.
>


You are completely missing my point that what we needed was TSIG + a key
agreement (which Donald points out was already specified).

TSIG was the right tool at that time, all we needed was to extend the
client which had to be touched anyway. But DNSSEC was the perfect which in
that case was the enemy of the good.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210630/a689edca/attachment.htm>