Date: Thu, 08 Apr 1999 12:32:22 +0200 From: sthaug@nethelp.no To: netadmin@fastnet.co.uk Cc: freebsd-security@freebsd.org Subject: Re: ssh and scp Message-ID: <85141.923567542@verdi.nethelp.no> In-Reply-To: Your message of "Thu, 8 Apr 1999 10:59:56 %2B0100" References: <19990408105956.M2213@bofh.fastnet.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Note that: > > > > 1. BIND 8.2 already supports (part of) DNSSEC. > > 2. But there are known bugs in the 8.2 implementation which can give > > you crashes if it's used. An unofficial patch is available. > > Am I right in thinking that it doesn't encrypt the transfer, > just signs it so that it can be authenticated? Yup. From RFC 2065: 2. Overview of the DNS Extensions The Domain Name System (DNS) protocol security extensions provide three distinct services: key distribution as described in Section 2.2 below, data origin authentication as described in Section 2.3 below, and transaction and request authentication, described in Section 2.4 below. Special considerations related to "time to live", CNAMEs, and delegation points are also discussed in Section 2.3. 2.1 Services Not Provided It is part of the design philosophy of the DNS that the data in it is public and that the DNS gives the same answers to all inquirers. Following this philosophy, no attempt has been made to include any sort of access control lists or other means to differentiate inquirers. In addition, no effort has been made to provide for any confidentiality for queries or responses. (This service may be available via IPSEC [RFC 1825].) So it explicitly does not provide confidentiality. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?85141.923567542>