Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 08 Apr 1999 12:32:22 +0200
From:      sthaug@nethelp.no
To:        netadmin@fastnet.co.uk
Cc:        freebsd-security@freebsd.org
Subject:   Re: ssh and scp
Message-ID:  <85141.923567542@verdi.nethelp.no>
In-Reply-To: Your message of "Thu, 8 Apr 1999 10:59:56 %2B0100"
References:  <19990408105956.M2213@bofh.fastnet.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
> > Note that:
> > 
> > 1. BIND 8.2 already supports (part of) DNSSEC.
> > 2. But there are known bugs in the 8.2 implementation which can give
> > you crashes if it's used. An unofficial patch is available.
> 
> Am I right in thinking that it doesn't encrypt the transfer,
> just signs it so that it can be authenticated?

Yup. From RFC 2065:

2.  Overview of the DNS Extensions

   The Domain Name System (DNS) protocol security extensions provide
   three distinct services: key distribution as described in Section 2.2
   below, data origin authentication as described in Section 2.3 below,
   and transaction and request authentication, described in Section 2.4
   below.

   Special considerations related to "time to live", CNAMEs, and
   delegation points are also discussed in Section 2.3.

2.1 Services Not Provided

   It is part of the design philosophy of the DNS that the data in it is
   public and that the DNS gives the same answers to all inquirers.

   Following this philosophy, no attempt has been made to include any
   sort of access control lists or other means to differentiate
   inquirers.

   In addition, no effort has been made to provide for any
   confidentiality for queries or responses.  (This service may be
   available via IPSEC [RFC 1825].)

So it explicitly does not provide confidentiality.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?85141.923567542>