|

Name Service (DNS)

»

PowerDNS & DNSSEC!

View: New views

6 Messages — Rating Filter: Alert me

	PowerDNS & DNSSEC! by bert hubert-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message .. http://www.powerdnssec.org .. Is signed by PowerDNS, and the delegation from .ORG is also signed. And of course this domain is powered by PowerDNS! (Re)Signing & re-keying is automatic, and configuration consists of a two step plan: 1) configure a key-repository directory in the pdns.conf. 2) run 'pdnssec create-keys powerdnssec.org'. (to be completely honest, right now it is a four step plan, but the last two steps will vanish very soon). There is a monumental amount of work left to be done, both in terms of core development, tools, performance, support infrastructure etc, and this will not happen automatically. http://www.powerdnssec.org also lists the things that are currently missing. Expect further announcements soon - we'll need help to make it all happen. The code is not yet available, but it will be if we find the help we need. But I wanted to share this exciting development earlier rather than later! Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services _______________________________________________ Pdns-users mailing list Pdns-users@... http://mailman.powerdns.com/mailman/listinfo/pdns-users
	Re: PowerDNS & DNSSEC! by evilbunny :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message bert hubert wrote: > But I wanted to share this exciting development earlier rather than later! I'm sorry, but dnssec isn't exciting, and hasn't ever been except a small group that we won't go into. On the other hand do you know of any "exciting" development with DNScurve? -- Best regards, Duane http://www.freeauth.org - Enterprise Two Factor Authentication http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Global Communication for the 21st Century "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ Pdns-users mailing list Pdns-users@... http://mailman.powerdns.com/mailman/listinfo/pdns-users signature.asc (204 bytes) Download Attachment
	Re: PowerDNS & DNSSEC! by Stephane Bortzmeyer :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, Jul 15, 2009 at 02:59:58AM +1000, Duane at e164 dot org <duane@...> wrote a message of 62 lines which said: > On the other hand do you know of any "exciting" development with DNScurve? What's the relationship? DNSSEC secures the data, DNScurve the channel (like TLS, IPsec, TSIG, etc). So, DNScurve is not a replacement for DNSSEC, for instance, it does not protect against a rogue resolver (or secondary name server). _______________________________________________ Pdns-users mailing list Pdns-users@... http://mailman.powerdns.com/mailman/listinfo/pdns-users
	Re: PowerDNS & DNSSEC! by evilbunny :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Stephane Bortzmeyer wrote: > On Wed, Jul 15, 2009 at 02:59:58AM +1000, > Duane at e164 dot org <duane@...> wrote > a message of 62 lines which said: > >> On the other hand do you know of any "exciting" development with DNScurve? > > What's the relationship? DNSSEC secures the data, DNScurve the channel > (like TLS, IPsec, TSIG, etc). So, DNScurve is not a replacement for > DNSSEC, for instance, it does not protect against a rogue resolver (or > secondary name server). DNSSEC doesn't provide privacy, DNScurve is supposed to provide both verifiection and privacy, but since there is no implementation there has been little discussion on it which is unfortunate. Just like there is a lot of reasons for privacy of web sessions the powers that be don't want to offer users the same privacy for their DNS requests. Reasons for not wanting to offer privacy included acknowledging that various governments would oppose it and DNSSEC specifically has no potential for privacy in the specs. That said since DNSSEC does involves crypto for signing, the same tech could in theory be used for privacy, and that annoys/scares what ever govt agencies and one potential reason why any sort of DNS crypto has taken this long to get to this point. -- Best regards, Duane http://www.freeauth.org - Enterprise Two Factor Authentication http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Global Communication for the 21st Century "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ Pdns-users mailing list Pdns-users@... http://mailman.powerdns.com/mailman/listinfo/pdns-users signature.asc (204 bytes) Download Attachment
	Re: PowerDNS & DNSSEC! by Leen Besselink :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, Jul 16, 2009 at 03:08:33AM +1000, Duane at e164 dot org wrote: > Stephane Bortzmeyer wrote: Hi Duane and Stephane, > > On Wed, Jul 15, 2009 at 02:59:58AM +1000, > > Duane at e164 dot org <duane@...> wrote > > a message of 62 lines which said: > > > >> On the other hand do you know of any "exciting" development with DNScurve? > > > > What's the relationship? DNSSEC secures the data, DNScurve the channel > > (like TLS, IPsec, TSIG, etc). So, DNScurve is not a replacement for > > DNSSEC, for instance, it does not protect against a rogue resolver (or > > secondary name server). > > DNSSEC doesn't provide privacy, DNScurve is supposed to provide both > verifiection and privacy, but since there is no implementation there has > been little discussion on it which is unfortunate. > > Just like there is a lot of reasons for privacy of web sessions the > powers that be don't want to offer users the same privacy for their DNS > requests. > > Reasons for not wanting to offer privacy included acknowledging that > various governments would oppose it and DNSSEC specifically has no > potential for privacy in the specs. > > That said since DNSSEC does involves crypto for signing, the same tech > could in theory be used for privacy, and that annoys/scares what ever > govt agencies and one potential reason why any sort of DNS crypto has > taken this long to get to this point. > My guess is, that would be the US-government ? I know the other governments also had something else to complain about, the signing of the root and the agency that is allowed to do so. Because alternative roots are not (easily) possible with DNSSEC I presume. I guess you could only make a signed copy or unsigned alt. root. > -- > > Best regards, > Duane > > http://www.freeauth.org - Enterprise Two Factor Authentication > http://www.nodedb.com - Think globally, network locally > http://www.sydneywireless.com - Telecommunications Freedom > http://e164.org - Global Communication for the 21st Century > > "In the long run the pessimist may be proved right, > but the optimist has a better time on the trip." > > _______________________________________________ > Pdns-users mailing list > Pdns-users@... > http://mailman.powerdns.com/mailman/listinfo/pdns-users _____________________________________ New things are always on the horizon. _______________________________________________ Pdns-users mailing list Pdns-users@... http://mailman.powerdns.com/mailman/listinfo/pdns-users
	Re: PowerDNS & DNSSEC! by bert hubert-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi everybody, I've seen the discussion on the list, and I've had more questions off-list about DNSSEC, DNSCurve and the quality and desirability of these protocols. In the message below, I want to share some of my thoughts on this, and then I kindly request everyone to have this discussion elsewhere. I'll explain. Briefly - PowerDNS is not and has never been a 'political' project. While I have personally and for most of a decade have worked hard at pointing out the problems of DNSSEC on the various IETF lists, PowerDNS ultimately needs to serve the needs of its users, both individuals, organizations and corporations. For better or worse, implementing DNSSEC has become 'mandatory' in many circles. Not having it on the roadmap has become a liability. It is also a risk for the individuals that have advocated PowerDNS within their organizations - they might be accused of having backed the wrong horse. PowerDNS is technology, and not a political action front. And because of that, and because the DNSSEC efforts are gathering pace, we have to make sure that PowerDNS users will not be left out. I'll be posting more thoughts on http://blog.netherlabs.nl shortly, but I kindly request people not turn this mailinglist into yet another discussion about the merits of DNSSEC. Thanks! PS: http://www.powerdnssec.org has been updated to reflect new features of the experimental DNSSEC code. Spread the word! On Wed, Jul 15, 2009 at 7:27 PM, Leen Besselink<leen@...> wrote: > On Thu, Jul 16, 2009 at 03:08:33AM +1000, Duane at e164 dot org wrote: >> Stephane Bortzmeyer wrote: > > Hi Duane and Stephane, > >> > On Wed, Jul 15, 2009 at 02:59:58AM +1000, >> > Duane at e164 dot org <duane@...> wrote >> > a message of 62 lines which said: >> > >> >> On the other hand do you know of any "exciting" development with DNScurve? >> > >> > What's the relationship? DNSSEC secures the data, DNScurve the channel >> > (like TLS, IPsec, TSIG, etc). So, DNScurve is not a replacement for >> > DNSSEC, for instance, it does not protect against a rogue resolver (or >> > secondary name server). >> >> DNSSEC doesn't provide privacy, DNScurve is supposed to provide both >> verifiection and privacy, but since there is no implementation there has >> been little discussion on it which is unfortunate. >> >> Just like there is a lot of reasons for privacy of web sessions the >> powers that be don't want to offer users the same privacy for their DNS >> requests. _______________________________________________ Pdns-users mailing list Pdns-users@... http://mailman.powerdns.com/mailman/listinfo/pdns-users