Hacker News new | past | comments | ask | show | jobs | submit login

Do they really claim that the last-mile is the most insecure part of DNS? They specifically mention the kaminsky attack, which was best used against DNS servers, not individual PCs.

This is really only an improvement for open wifi, but then you can MITM the IP without having to hijack DNS.




DNSCurve is a proposal for a solution to cache poisoning (which is a problem that dates back to the mid-90's) that admits to incremental deployment.

On day one, it protects the desktops that opt into deployments provided by servers that opt into it.

But unlike with DNSSEC, which retains the DNS' architectural distinction between the stub resolver in your browser or OS and the cache server at your ISP, the same security protocol that secures the "last mile" with DNSCurve is also workable between servers. Most notably, deploying that secure option does not require the server to change its database.

The day 1 benefit of having a secure channel between browsers and resolver servers probably addresses 60% of the DNS security problem in reality --- that's not a small win, it's an immense win. But even in the long run, DNSCurve is a more workable path to secure name resolution than DNSSEC.


"The day 1 benefit of having a secure channel between browsers and resolver servers probably addresses 60% of the DNS security problem in reality"

Don't most users use their ISP's DNS servers, making hijacking between the browser and resolvers nearly impossible?


No, because the existing standard DNS protocol is terribly insecure.

Also, because it's insecure, you can't productively opt on to a more secure provider.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: