Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNSSEC Advances in gTLDs; Bernstein Intros DNSCurve

Posted by kdawson on from the what-hath-kaminsky-wrought dept.

coondoggie writes "Seven leading domain name vendors — representing more than 112 million domain names, or 65% of all registered names — have formed an industry coalition to work together to adopt DNSSEC. Members of the DNSSEC Industry Coalition include: VeriSign, which operates the .com and .net registries; NeuStar, which operates the .biz and .us registries; .info operator Afilias Limited; .edu operator EDUCAUSE; and The Public Interest Registry, which operates .org." The gTLD operators are falling in line behind government initiatives, which we discussed last month. In light of these developments, Dan Bernstein's push for DNSCurve might face an uphill slog. Reader data2 writes: "Dan Bernstein, the creator of djbdns and daemontools, has created his own proposal to improve upon the current DNS protocol. He has been opposed to DNSSEC for quite some time, and now he has proposed a concrete alternative, DNSCurve. He has posted a comparison between the two systems. His proposal makes use of elliptic curves, while DNSSEC favors RSA. He uses a curve named Curve25519, which he also developed."

4 of 179 comments (clear)

  1. Re:djb has an alternative? by Architect_sasyr · · Score: 0, Flamebait

    At least he's less likely to try and identify me to my local government...

    --
    Me failed English...
    FreeBSD over Linux. If my comments seem odd, this may explain...
  2. I'm aware of his reputation by mmell · · Score: 0, Flamebait
    In this instance, he's just plain wrong.

    A personal opinion, that. YMMV.

  3. Re:So you think RSA is broken? by Anonymous Coward · · Score: 0, Flamebait

    Even if your bank is currently using a 1024-bit certificate, your browser and the underlying protocols support more than that. DNSsec doesn't. It's taken decades to get DNS crypto taken seriously, and it makes sense to do it once, instead of over and over again after serious compromises have occurred.

    1024-bit RSA is considered deprecated by NIST as of 2010. In a couple weeks, it'll be 2009. That's not a very useful lifespan. Meanwhile, elliptic curve cryptography gets significantly more protection per bit -- not as much as a good symmetric cipher, but about half that. Like a symmetric cipher (and unlike RSA), it scales linearly with the number of bits you give it. NIST considers ~163-bit ECC as secure as 1024-bit RSA; if you give it 256 bits (like DJB's implementation), that's roughly equivalent to 3072-bit RSA. Not to mention, it can be computed more quickly and transmitted in less space.

    After all, it's not like DNS servers have to answer thousands of queries a minute, or encode answers into a single packet, or anything like that. Nope. Nothing like that.

  4. Re:What an idiot. by C0vardeAn0nim0 · · Score: 1, Flamebait

    At just a moment when the internet at large needs to standardize on secure mechanisms, he has to gratuitously add another potential standard to the mix, increasing the difficulty of getting anything done.

    that's because he's an egomaniac who'll not be happy until the internet becomes DJBnet, all based on DJB/IP, with DJBDNS, DJBML and the like

    --
    What ? Me, worry ?