From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <edwin+ml-cerowrt@etorok.net>
Received: from mx.etorok.net (mx.etorok.net [62.113.205.31])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mx.etorok.net",
	Issuer "StartCom Class 1 Primary Intermediate Server CA" (not
	verified))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id ADE9421F3DB
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sun, 11 May 2014 06:43:30 -0700 (PDT)
Received: by mx.etorok.net (OpenSMTPD) with ESMTP id a6a9510b;
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sun, 11 May 2014 16:43:26 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=etorok.net; h=
	message-id:date:from:mime-version:to:references:in-reply-to
	:content-type:content-transfer-encoding; s=ml; l=551; bh=pJmim61
	RnCGKeBwUTFzRfT7bJMM=; b=r4qirDdUEXIGo9sXZi9DraFWzoW42Gs0vStzowQ
	aPZ59NUlUI7bLG46z9JUDGWo/G52WjVf7MPqbRKmfcNU6uzTzFfUtbVsnje/bhcn
	nosav7QLSI7YNf+w1wSg1r+nI0DVAaj8br68BoyBi3Ua9sOdv2aO0cEDcBmJcJTT
	5qyA=
Received: by mx.etorok.net (OpenSMTPD) with ESMTPSA id 7fd4ad69;
	TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-SHA bits=128 verify=NO; 
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sun, 11 May 2014 16:43:26 +0300 (EEST)
Message-ID: <536F7E7D.2010008@etorok.net>
Date: Sun, 11 May 2014 16:43:25 +0300
From: =?ISO-8859-1?Q?T=F6r=F6k_Edwin?= <edwin+ml-cerowrt@etorok.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:24.0) Gecko/20100101 Icedove/24.5.0
MIME-Version: 1.0
To: cerowrt-devel@lists.bufferbloat.net
References: <CAMZR1YDRXoEwO4su_ZhrzS1Y-zczzmXE8xp4pSSkqrQT2cYy2Q@mail.gmail.com>
	<fabd397c-0e85-45df-a410-49826d73af9b@katmail.1gravity.com>
In-Reply-To: <fabd397c-0e85-45df-a410-49826d73af9b@katmail.1gravity.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Cerowrt-devel] "DNSSEC considered harmful"
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Sun, 11 May 2014 13:43:31 -0000

On 05/10/2014 04:30 AM, David P. Reed wrote:
> Reading a lot of this stuff suggests at most that DNSSEC is being overhyped and poorly implemented.
> 
> As a reason to abandon work on deploying DNSSEC so that it's easier to instantiate man in the middle attacks I find it unconvincing.
> 
> Is there an alternative?

For protecting just the DNS client <-> DNS server communication there is http://dnscurve.org/index.html
It doesn't seem to provide a way for a domain owner to cryptographically sign the records though.

Best regards,
--Edwin