From owner-freebsd-security Thu Apr 8 3:34:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 394CF150F2 for ; Thu, 8 Apr 1999 03:34:22 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 85143 invoked by uid 1001); 8 Apr 1999 10:32:22 +0000 (GMT) To: netadmin@fastnet.co.uk Cc: freebsd-security@freebsd.org Subject: Re: ssh and scp From: sthaug@nethelp.no In-Reply-To: Your message of "Thu, 8 Apr 1999 10:59:56 +0100" References: <19990408105956.M2213@bofh.fastnet.co.uk> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 08 Apr 1999 12:32:22 +0200 Message-ID: <85141.923567542@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Note that: > > > > 1. BIND 8.2 already supports (part of) DNSSEC. > > 2. But there are known bugs in the 8.2 implementation which can give > > you crashes if it's used. An unofficial patch is available. > > Am I right in thinking that it doesn't encrypt the transfer, > just signs it so that it can be authenticated? Yup. From RFC 2065: 2. Overview of the DNS Extensions The Domain Name System (DNS) protocol security extensions provide three distinct services: key distribution as described in Section 2.2 below, data origin authentication as described in Section 2.3 below, and transaction and request authentication, described in Section 2.4 below. Special considerations related to "time to live", CNAMEs, and delegation points are also discussed in Section 2.3. 2.1 Services Not Provided It is part of the design philosophy of the DNS that the data in it is public and that the DNS gives the same answers to all inquirers. Following this philosophy, no attempt has been made to include any sort of access control lists or other means to differentiate inquirers. In addition, no effort has been made to provide for any confidentiality for queries or responses. (This service may be available via IPSEC [RFC 1825].) So it explicitly does not provide confidentiality. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message