[dns-operations] OpenDNS adopts DNSCurve
Olafur Gudmundsson
ogud at ogud.com
Fri Feb 26 14:27:53 UTC 2010
On 25/02/2010 9:57 PM, Mike Damm wrote:
> Tony Finch wrote:
>> On Thu, 25 Feb 2010, Stephane Bortzmeyer wrote:
>>
>>> http://blog.opendns.com/2010/02/23/opendns-dnscurve/
>>>
>>>
>>>> High traffic DNS servers can't handle signing every response packet,
>>>> so they need to pre-compute signatures. This limits how companies like
>>>> Akamai and Google or projects like the NTP Pool can use DNS for global
>>>> load balancing and routing users to their nearest servers.
>>>>
>>
>> I don't see why these kinds of special DNS servers can't sign all the
>> possible RRsets they might return offline.
>>
>
> How would people implement something like whoami.ultradns.net using
> DNSSEC? I ask this seriously because pre-signing seems to be the catch
> all answer for the more dynamic things people want to do with DNS, but I
> don't believe people understand how poorly that scales.
>
This is a not an issue, all it needs is one signature for the covering
NSEC see:
; <<>> DiG 9.6.1-P1 <<>> @pdns3.ultradns.org. whoami.ultradns.net any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50992
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;whoami.ultradns.net. IN ANY
;; AUTHORITY SECTION:
ultradns.net. 60 IN SOA udns1.ultradns.net.
domadmin.ultradns.net. 2010021601 900 600 604800 60
;; Query time: 27 msec
;; SERVER: 199.7.68.1#53(199.7.68.1)
;; WHEN: Fri Feb 26 09:27:08 2010
;; MSG SIZE rcvd: 88
Olafur
More information about the dns-operations
mailing list