Re: [ga] DNSSEC toward a more insecure Internet Re: PROBLEMS Resolving .gov w/dnssec

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

<HEAD>
<STYLE>body{font-family: 
Geneva,Arial,Helvetica,sans-serif;font-size:10pt;font-family:arial,sans-serif;background-color:
 #ffffff;color: black;}p{margin:0px}</STYLE>

<META content="MSHTML 6.00.6000.16825" name=GENERATOR></HEAD>
<BODY id=compText>
<P>Dr. Joe and all,</P>
<P>&nbsp;</P>
<P>&nbsp; To answer your first question, yes, if and only if DNSSEC is properly 
implimented</P>
<P>and strong encryption is used.&nbsp; Currently the ongoing attempted 
implimentation</P>
<P>for .GOV is obviously not going well.&nbsp; The main but hardly only reasons 
are</P>
<P>largely due to; 1.) improper assumptions for implimentation were and are 
still</P>
<P>being made, and 2.) will not even if the implimentation is put back on a 
firm</P>
<P>positive direction, be adaquate to meet the current level of threat as the 
crypto</P>
<P>standard being used, 256k/SHA-2 is too weak.&nbsp; Currently the 
Cybersecurity</P>
<P>legislation taps the NIST as the standard setting government organization</P>
<P>for setting these standards.&nbsp; NIST is, and has been an excellent 
government</P>
<P>organization, but in this instance their already declared crypto standard</P>
<P>is far too weak, leaving the likelihood of many Americans as well as US</P>
<P>trading partners unecessarly exposed to various types and forms of abuse,</P>
<P>fraud, and other online criminal activity.&nbsp;</P>
<P>&nbsp;</P>
<P>&nbsp; Indeed it would have been far better&nbsp;for the USG to implement 
DNScurve even</P>
<P>though I am now and have been a strong proponent of DNSSEC.&nbsp; However</P>
<P>given the present political realities and lack of expertise avaliable to 
the</P>
<P>USG the current and ongoing DNSSEC implementation continues and</P>
<P>is floundering.&nbsp;&nbsp; It may yet be corrected/arrested however with 
weak crypto</P>
<P>the exposier will remain and will IMO sooner rather than later, be hacked</P>
<P>to pieces perhaps causing yet another financial disaster far worse</P>
<P>than the 2008 and ongoing one has produced.&nbsp; <BR><BR><BR></P>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 0px; BORDER-LEFT: #0000ff 
2px solid">-----Original Message----- <BR>From: Joe Baptista 
<BAPTISTA@xxxxxxxxxxxxxx><BR>Sent: Apr 22, 2010 9:58 AM <BR>To: 
"ga@xxxxxxxxxxxxxx &gt;&gt; GA" <GA@xxxxxxxxxxxxxx><BR>Subject: [ga] DNSSEC 
toward a more insecure Internet Re: PROBLEMS Resolving .gov w/dnssec 
<BR><BR>??? does dnssec mean a more secure Internet experience but a higher 
rate of failure in dns resolution?<BR><BR>Incidentally folks Dr. Bernstein 
predicted this would happen. It's called DNSSEC suicide. Today the USPTO goes 
offline - what will happen tommorrow - will .gov go poof? <BR><BR>
<DIV class=gmail_quote>On Thu, Apr 22, 2010 at 10:39 AM, Torsten <SPAN 
dir=ltr>&lt;<A href="mailto:toto@xxxxxxxxxxxxx"; 
target=_blank>toto@xxxxxxxxxxxxx</A>&gt;</SPAN> wrote:<BR>
<BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 
0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">Am Thu, 22 Apr 2010 10:03:43 
-0400 (EDT)<BR>schrieb Paul Wouters &lt;<A href="mailto:paul@xxxxxxxxxxxxx"; 
target=_blank>paul@xxxxxxxxxxxxx</A>&gt;:<BR><BR>&gt; On Thu, 22 Apr 2010, 
Timothe Litt wrote:<BR>&gt;<BR>&gt; &gt; I'm having trouble resolving <A 
href="http://uspto.gov"; target=_blank>uspto.gov</A> with bind 9.6.1-P3 
and<BR>&gt; &gt; 9.6-ESV configured as valdidating resolvers.<BR>&gt; 
&gt;<BR>&gt; &gt; Using dig, I get a connection timeout error after a long (~10 
sec)<BR>&gt; &gt; delay. +cdflag provides an immediate 
response.<BR>&gt;<BR>&gt; &gt; Is anyone else seeing this? &nbsp;Ideas on how 
to troubleshoot?<BR>&gt;<BR>&gt; I have the same problems with our validating 
unbound instance. The<BR>&gt; logs show:<BR>&gt;<BR><BR>Maybe something went 
wrong in the key-rollover process. Queries<BR>for DS, DNSKEY and NSEC get a 
reply with the ad flag set. All other<BR>records 
fail.<BR><BR><BR>Ciao<BR>Toto<BR><BR>_______________________________________________<BR>bind-users
 mailing list<BR><A href="mailto:bind-users@xxxxxxxxxxxxx"; 
target=_blank>bind-users@xxxxxxxxxxxxx</A><BR><A 
href="https://lists.isc.org/mailman/listinfo/bind-users"; 
target=_blank>https://lists.isc.org/mailman/listinfo/bind-users</A><BR></BLOCKQUOTE></DIV>
<P><BR><BR>&nbsp;</P>
<P>Regards,<BR><BR>Jeffrey A. Williams<BR>Spokesman for INEGroup LLA. - (Over 
294k members/stakeholders and growing, strong!)<BR>"Obedience of the law is the 
greatest freedom" -<BR>&nbsp;&nbsp; Abraham Lincoln<BR><BR>"Credit should go 
with the performance of duty and not with what is very<BR>often the accident of 
glory" - Theodore Roosevelt<BR><BR>"If the probability be called P; the injury, 
L; and the burden, B; liability<BR>depends upon whether B is less than L 
multiplied by<BR>P: i.e., whether B is less than PL."<BR>United States v. 
Carroll Towing&nbsp; (159 F.2d 169 [2d Cir. 
1947]<BR>===============================================================<BR>Updated
 1/26/04<BR>CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. 
div. of<BR>Information Network Eng.&nbsp; INEG. INC.<BR>ABA member in good 
standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx<BR>Phone: 
214-244-4827<BR>Regards,<BR><BR>Jeffrey A. Williams<BR>Spokesman for INEGroup 
LLA. - (Over 294k members/stakeholders and growing, strong!)<BR>"Obedience of 
the law is the greatest freedom" -<BR>&nbsp;&nbsp; Abraham 
Lincoln<BR><BR>"Credit should go with the performance of duty and not with what 
is very<BR>often the accident of glory" - Theodore Roosevelt<BR><BR>"If the 
probability be called P; the injury, L; and the burden, B; liability<BR>depends 
upon whether B is less than L multiplied by<BR>P: i.e., whether B is less than 
PL."<BR>United States v. Carroll Towing&nbsp; (159 F.2d 169 [2d Cir. 
1947]<BR>===============================================================<BR>Updated
 1/26/04<BR>CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. 
div. of<BR>Information Network Eng.&nbsp; INEG. INC.<BR>ABA member in good 
standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx<BR>Phone: 
214-244-4827<BR></P></BLOCKQUOTE></BODY>