To:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, Mark.Andrews@isc.org
Cc:
namedroppers@ops.ietf.org, dnsop@cafax.se, dnssec@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Tue, 16 Jul 2002 17:07:47 +0200
In-Reply-To:
<200207160504.OAA02957@necom830.hpcl.titech.ac.jp>
Sender:
owner-dnsop@cafax.se
Subject:
Re: dnssec discussion today at noon
At 2:04 PM +0859 2002/07/16, Masataka Ohta wrote: >> And what does this have to do with DNSSEC? > > The theory explains the reality that public key cryptography > (including DNSSEC) is not used for serious purposes. Not used for serious purposes?!? Okay, let's have you run a B2B website where billions of dollars can be moved with the click of a single mouse button. Now, we have to ensure that you really are interacting with the real B2B website and not some clever fake, or worse, some site that performs a man-in-the-middle attack on you while you are conducting a real transaction, so that they can later go in and conduct multiple fake transactions. How about home banking? Sure, hundreds, thousands, tens of thousands, etc... of dollars may not be a whole lot of money to you, but they may be the entire life savings of a family. Multiply that by 250 million people in the US alone, and you're talking about some real money. I'm sorry. I don't buy your argument at all. Not in the least. I'm not saying that DNSSEC is necessarily the only solution to the problem, or even the best solution to the problem, or necessarily even one solution to the problem, but it is at least a step closer to one solution to the problem, and by working with DNSSEC and seeing where it works and where it fails, we can get closer to a real solution. > Such security is not useful for serious purposes, when no one is > really responsible if your transactions are spoofed. Okay, so we can all sue you for billions and trillions of dollars worth of damages when someone spoofs a DNS response packet which then leads us to be vulnerable to man-in-the-middle attacks. > Just as you can rely on people operating name servers, you > can rely on people operating routers. No, in both cases. There are a multitude of heinously screwed up servers in this world, and a multitude of heinously screwed up routers, too. If you don't believe me, then believe KC Claffy from CAIDA (see <http://www.caida.org/outreach/presentations/dns0701/mgp00003.html>). -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.