Re: [ga] IPETEE - forget DNSSEC

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

Joe and all,

  Essentially you are correct vis a vi Dan Bernstein.  I respectfully
disagree in respect to DNSSEC
of which I have already covered.  There are some similarities to IPv6 in
respect to the approach
to security means and method.  But that's about it, as far as similarity
to DNSSEC.

  What's missing in a well trained base level in network operations due
partly, but not
entirely, to some of the policies of the IETF.

Joe Baptista wrote:

>
>
> On Sat, Jul 12, 2008 at 1:57 PM, JFC Morfin <jefsey@xxxxxxxxxxxxxxxx>
> wrote:
>
>
>      At 11:48 12/07/2008, Peter Dambier wrote:
>
>           DNSSEC is the means to stop alternative roots.
>           That is
>           probably the reason why everybody is made to want
>           it.
>
>      could you please explain why?
>
>
> Its to do with the start of authority key that signs all the other
> keys.  If that is signed then all the remainder are signed based on
> the root DNSSEC key.
>
> One of the things I remember is how insecure it is from the point of
> view of the discover process.  Because each record is in some
> encrypted way related to the former in a sequential order - i..e.
> alphabetical order.  So TLD zones and domains who now protect their
> network infrastructure by not allowing AXFR can now have that zones
> list of names discoverable if they implement DNSSEC.
>
> Maybe they fixed that.  Just visit the IETF and look through the
> DNSSEC RFC.  It a lot like IPv6 - a technical nightmare waiting to
> happen with many bugs and revisions.
>
> It does not actually fix the problem with name server security - it
> just patches it with an encrypted.  The problem in name server
> security was fixed back in 2002 by Dan Bernstein.  We have all known
> about it and we all also know that Bernstein is the author to the
> solution of running a stable safe DNS.  However what happened is the
> fools at the IETF and the senior DNS operators gave him a hard time on
> it and we have seen patches to DNS server software from all the
> vendors that have completed ignored the problem from day one.
>
> Bernstein solved the problem and is now credited for it.
>
> regards
> joe baptista
>
> --
> Joe Baptista
> www.publicroot.org
> PublicRoot Consortium
> ----------------------------------------------------------------
> The future of the Internet is Open, Transparent, Inclusive,
> Representative & Accountable to the Internet community @large.
> ----------------------------------------------------------------
> Office: +1 (360) 526-6077 (extension 052)
> Fax: +1 (509) 479-0084

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827