Maintained by: NLnet Labs

[Unbound-users] unbound 1.4.6 released

Kevin Chadwick
Wed Aug 4 11:29:34 CEST 2010


On Wed, 04 Aug 2010 09:26:01 +0200
Leen Besselink <leen at consolejunkie.net> wrote:

> On 08/04/2010 12:32 AM, Paul Wouters wrote:
> > On Tue, 3 Aug 2010, Leen Besselink wrote:
> >
> >> How about TSIG ? I think it can be used (if an stub-resolver like 
> >> ldns implements it) to secure 'the last mile'.
> >
> > I'd rather see validating resolvers using a forwarder mechanism so we 
> > don't
> > have to trust ISP/random wifi nameservers at all.
> >
> >> Did you also see this idea by Dan Kaminsky ? I thought it was pretty 
> >> smart.
> >>
> >> It takes part of the idea from dnscurve and combines it with DNSSEC 
> >> to get faster/more DNSSEC deployment:
> >>
> >> http://recursion.com/chain.pdf
> >
> > It's cute, but I don't think its really needed anymore. The cool thing 
> > about
> > re-using the NS record was not so much to just provide a pubkey in 
> > dnscurve,
> > but to provide privacy. Dan's NSDS record does not do that. The 
> > competitive
> > nature of the registry/registrar model will ensure most of them will 
> > support DS
> > records before any NSDS code has been written and well tested (IMHO)
> >
> > Paul
> >
> I know they are both just a stopgap, but atleast now we know you don't 
> expect to implement it.
> 
TSIG just hasn't got what dnscurve offers.

Dnscurve would add little overhead (less than a quarter of dnssec) and
you could have an off switch, the memory overhead for forking would
make little difference. You could even optionally turn off dnssec to get
increased performance knowing dnssec was checked by the last hop (if
you trust that hop) thereby gaining performance you could optionally
compile without dnssec to free up memory (many forks - depending on
performance reasoning). 

Dos against dnssec shouldn't be so easy to conduct especially against
smaller sites, dnscurve would reduce dos effectiveness and in some
cases prevent it. 

The dnssec encryptions security is also questionable.

Privacy and real security for dns would be a great thing for many
reasons such as preventing business association monitoring (web and
email traffic etc. (though starttls as oppose to tls would still give
out some info) it would also prevent some attackers from knowing when
and buying time to prepare to launch an attack such as a starttls not
available response.


> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users