

D.J. Bernstein proposes an almost zero-effort DNSSEC alternative (Presentation) - st3fan
http://cr.yp.to/talks/2008.08.22/slides.pdf

======
tptacek
It's not quite that simple: I think DJB is proposing that we solve a different
problem than DNSSEC tries to solve.

Compare DNS security to HTTP security. SSL/TLS secures HTTP connections, but
not their underlying content. DNSSEC is like trying to encrypt and sign every
web page, instead of the secure connections. Which is why it's unlikely to
ever happen.

DNSCurve is a design that uses modern high-speed ECC crypto to do packet-
transaction-speed security. It looks like its to DNS what TLS is to the web.

That said, since DNSSEC is a crazy idea (obligatory self-link:
<http://www.matasano.com/log/case-against-dnssec/>) and because DJB got a lot
of (well deserved) attention after this summer's DNS debacle, this could get
some serious attention.

------
pjf
I'd argue that slides are more on DNSSEC weaknesses than on DNSCurve [1]
strengths. Actually he only mentions advantages of his solution as opposed to
giving quite detailed criticism of DNSSEC.

However, great presentation and I highly recommend it to all network/security
geeks.

[1] <http://dnscurve.org/>

------
eggnet
This proposes to encode an encryption key into the NS delegation for a zone,
and backing it up with an encryption scheme touted to be fast enough to handle
high loads.

The idea of encoding a key into the NS name sounds like something djb would
dream up, seeing the names as useless anyway (you'd get that impression after
using his software and reading his notes on dns). The part that pushes the
solution over the top is providing a fast enough encryption algorithm to work
for dns servers.

What can I say, I'm impressed.

