[dns-operations] OpenDNS adopts DNSCurve
matthew at dempsky.org
Wed Feb 24 18:50:35 UTC 2010
On Wed, Feb 24, 2010 at 10:40 AM, Joe Abley <jabley at hopcount.ca> wrote:
> It does seem from a quick review of draft-dempsky-dnscurve-00 that the link-layer security provided by DNSCurve depends on a previous, unsecured DNS lookup by the DNSCurve client to obtain the public key of the DNSCurve server.
It's the same situation as DNSSEC. Either it can make a secured
lookup to a parent server, it can be configured out-of-band with trust
anchors, or it can optimistically trust the first response and use it
to secure all future requests (i.e., still vulnerable to a spoofing
attack, but limiting the exposure to just the very first query).
More information about the dns-operations