undefined | Better HN

0 pointsthe84726y ago0 comments

No, the traffic from individual machines to my recursive resolver is already secured or trusted, either because it's a trusted network or going through a tunnel.

What I am missing is a way to secure the traffic from the recursive resolver to all the authoritative name servers in the world, i.e. to achieve end-to-end encryption for lookups.

Yes I am aware that this would require dnscurve support in most authoritative servers around the world and that the rollout would take many years. But DoH provides a false sense of security, to me it's a distraction that just shifts us from ISPs saying "trust us" to google&co doing it.

0 comments

bluejekyll6y ago

I think we're coming to DNSSEC + TLS vs. DNSCurve at this point.

I'm not so convinced that the authenticity of the data you're conferring to the DNSCurve network is conferring greater security than DNSSEC and TLS. I'm not arguing one is better than the other, but I kinda see it as a wash.

tptacek6y ago

TLS DNS and DNSCurve perform essentially the same function, so it doesn't make much sense to compare one with DNSSEC and one without. What blurs the line a little is that DNSCurve is explicit about its goal of providing bottom-up DNS security --- in a world with near-universal DNSCurve deployment, the need for DNSSEC would be minimized. But that's in fact true of TLS DNS, as well --- it's just not something the IETF is explicit about.

Both DNSSEC and DNSCurve are basically dead-letter standards at this point; interestingly, the stake through both their hearts is DNS over TLS or HTTPS, but for different reasons: DNSCurve, because DoTLS essentially replaces the entire protocol, and DNSSEC because DoTLS reveals (through its rapid adoption, among other things) how marginal DNSSEC's contribution actually is.

the8472OP6y ago

DNS-over-(d)TLS approaches don't aim to secure the traffic between recursive resolvers and authoritative servers[0][1]. Is there any newer work going in that direction?

[0] https://tools.ietf.org/html/rfc8094#section-1 [1] https://tools.ietf.org/html/rfc7858.html

j / k navigate · click thread line to collapse