[At-Large] DNS Encryption -- IETF Draft
Evan Leibovitch
evan at telly.org
Tue Jul 1 08:18:06 EDT 2008
Hello,
The author of a draft proposal on signed and encrypted DNS has submitted
it to the IETF; a link was posted to a Toronto Asterisk (open source
VOIP/telephony) mailing list. One of the main purposes of having this
facility is to prevent DNS spoofing and "man in the middle" attacks. I
thought this may be of interest to our audience:
http://www.e164.org/docs/draft-groth-dns-encryption-00.txt
One notable aspect of the draft (and a reason for its interest to the
open source community) is its use of OpenPGP keys rather than X.509
certificates:
> It would be a bad security decision to use X.509 certificates,
> SMTP-TLS has shown that very few commercial certificates have been
> purchased, most people use self-signed or invalid certificates.
Also:
> With current threats existing for very short periods, typically hours
> to days at most, there is no practical reason for keys to expire in 1
> or even 5 years, the primary reason most certificates expire with such
> frequency is due to monetary reason which is detrimental to security.
I hope this is of interest. The reason this was sent on a telephony list
is because of the use of NAPTR resource records in DNS entries (see RFP
2915) to store telephone/VOIP number names as well as conventional
Internet domain names.
- Evan
More information about the At-large
mailing list