Maintained by: NLnet Labs

[Unbound-users] unbound 1.4.6 released

Kevin Chadwick
Sun Feb 13 16:06:36 CET 2011


On Wed, 4 Aug 2010 11:47:15 +0100
Kevin Chadwick wrote:

> On Wed, 4 Aug 2010 11:23:48 +0200
> "Marco Davids (SIDN)" wrote:
> 
> > Hi Wouter,
> > 
> > On 08/03/10 16:59, W.C.A. Wijngaards wrote:
> > 
> > >> Is it possible to add dnscurve support to the todo list?
> > 
> > > It is currently at the IETF and if that standardization (and fix)
> > > process is done, then we can consider adding it.
> > 
> > > The IETF process can take some time and make changes to the
> > > spec, therefore the decision is better made at a later date.
> > 
> > That argument, even though it makes sense, seems somewhat inconsistent
> > with an earlier decision to implement draft-vixie-dnsext-dns0x20-00 in
> > Unbound. I liked playing with the 0x20 feature though, so at least I for
> > one was was happy that you implemented it as an option. I suppose I
> > could be equally happy with fiddling around with DNScurve a bit. A
> > '--with-dnscurve' configure-option would work just fine for me (will
> > keep things leand and mean for others). So as far as I am concerned, the
> > 'IETF standardization'-argument doesn't necessarily has to be a
> > showstopper here.
> 
> I'm obviously a supporter of dnscurve but I do see that if it get's
> very little adoption (OpenDNS seem the only major one at present) then
> adding it may be a waste of developers time, though I'm under the
> impression that it's meant to be easy to implement and I'm hoping
> unbound may be able to kick others into action. It would also be the
> only and first one supporting dnssec and dnscurve as far as I am aware,
> thereby acquiring other users like me and/or press coverage.


Hi together,

for those, who are interested: 

DJB gave a talk on 27c3 'Hacker congress' (at December 28th, 2010) in
Berlin:

"High-speed high-security cryptography encrypting and authenticating
the whole internet"

In essence, Dan

- critices DNSSec from first principles ('CIA') and explaining possible
  amplification attacks, and addressing the problem of static signing
  keys,

- introduces briefly DNSSec with ECC and NYM deployed Public Keys,

- outlines CurveCP, a new protocol, using UDP services while encrypting
  the payload (asymmetrically) by means of ECC. This could be used for
  general HTTP traffic (instead using standard TCP).

--

What is interesting, challenging, and extraordinary is the approach -
unlike TLS - to directly encrypt data with ECC and not to first
negotiate a shared secret for (later) symmetrical en/de-cryption. Dan
tries to convince the public that asymmetric cryptography by ECC is not
heavy burdon on today's CPUs.

Sources:

His talk: http://cr.yp.to/talks/2010.12.28/slides.pdf

His life presentation: http://vimeo.com/18279777

--

Interesting enough, apart from Dan's approach, Google also tries to tie
down the latency introduced by TLS (for instant HTTP traffic):

http://tools.ietf.org/html/draft-agl-tls-snapstart-00

--

Thus, given the current hardware capabilities, not the CPU load is
problematic for encryption, but rather the (slow) current approach, to
at first set up a security context/session and negotiate on a cipher.


Enjoy!

regards.
--eh.

PS: Sorry for potentially receive this mail twice. It is worth it!

-- 
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de