Hacker News new | past | comments | ask | show | jobs | submit login

Right, NEC3's 'solution' to obscure zones by signing hashes effectively just renames zones that probably come from some small collection ('www', 'ftp', 'ns', 'smtp', 'ilo') and not secure for the same reason hashing phone numbers is ineffective.

Arguments that administrators can choose names with large entropy would miss the point as it puts an undue burden on administrators and users to use 'bizarre' names.

Further arguments that you can brute force names using normal ol' A records also miss the point. The difference is online versus offline enumeration.

> it's based on RSA PKCS1v15

Eww. I had no idea. Next you'll tell me the root key's public exponent is 3. Gross.

> If your most important adversary is GCHQ and NSA, then the Internet is far more threatened by the deployment of DNSSEC than it is by DNSSEC's absence.

Not sure it makes too much of a difference in this case... you can't trust non-signed DNS records if your adversary is NSA/GCHQ, and you can't trust typical PKI to bail you out either.




Migrating from a fatally flawed PKI to a PKI that is fundamentally flawed practically by design is a big problem.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: