DNS Encryption -- IETF Draft
Hello, The author of a draft proposal on signed and encrypted DNS has submitted it to the IETF; a link was posted to a Toronto Asterisk (open source VOIP/telephony) mailing list. One of the main purposes of having this facility is to prevent DNS spoofing and "man in the middle" attacks. I thought this may be of interest to our audience: http://www.e164.org/docs/draft-groth-dns-encryption-00.txt One notable aspect of the draft (and a reason for its interest to the open source community) is its use of OpenPGP keys rather than X.509 certificates:
It would be a bad security decision to use X.509 certificates, SMTP-TLS has shown that very few commercial certificates have been purchased, most people use self-signed or invalid certificates.
Also:
With current threats existing for very short periods, typically hours to days at most, there is no practical reason for keys to expire in 1 or even 5 years, the primary reason most certificates expire with such frequency is due to monetary reason which is detrimental to security.
I hope this is of interest. The reason this was sent on a telephony list is because of the use of NAPTR resource records in DNS entries (see RFP 2915) to store telephone/VOIP number names as well as conventional Internet domain names. - Evan
John and all, Here here! And it's nearly a decade late in getting it broadly implimented as well... Domain Names and associated Name servers that do not have DNSSEC implimented fully are rapidly becoming or have already become "Zombie Spam sites" and represent a serious danger to ALL users everywhere. John Levine wrote:
The author of a draft proposal on signed and encrypted DNS has submitted it to the IETF; a link was posted to a Toronto Asterisk (open source VOIP/telephony) mailing list.
It's sort of interesting, but it's a decade to late to derail the DNSSEC train.
R's, John
_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/alac_atlarge-lists.icann.org
At-Large Official Site: http://atlarge.icann.org
Regards, Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827
At 17:35 01/07/2008, John Levine wrote:
The author of a draft proposal on signed and encrypted DNS has submitted it to the IETF; a link was posted to a Toronto Asterisk (open source VOIP/telephony) mailing list.
It's sort of interesting, but it's a decade to late to derail the DNSSEC train.
Why to derail? The Internet should not be seen as a monolith carved for eternity. This should be worked on, tested, compared and a possible transition or parallel usage documentation be provided. This is the way IETF and the Internet community has always proceeded. DNSSEC is like DNS, IPv6 and IDNA, who knows where they will be ten years from now. Maybe everywhere, maybe forgotten. Please remember the only architectural principle of the Internet technology (RFC 1958): everything but that principle can change. Cheers. jfc
participants (4)
-
Evan Leibovitch -
Jeffrey A. Williams -
JFC Morfin -
John Levine