[dns-operations] OpenDNS adopts DNSCurve

Joe Abley jabley at hopcount.ca
Wed Feb 24 19:18:39 UTC 2010

On 2010-02-24, at 13:50, Matthew Dempsky wrote:

> On Wed, Feb 24, 2010 at 10:40 AM, Joe Abley <jabley at hopcount.ca> wrote:
>> It does seem from a quick review of draft-dempsky-dnscurve-00 that the link-layer security provided by DNSCurve depends on a previous, unsecured DNS lookup by the DNSCurve client to obtain the public key of the DNSCurve server.
> It's the same situation as DNSSEC.  Either it can make a secured
> lookup to a parent server, it can be configured out-of-band with trust
> anchors, or it can optimistically trust the first response and use it
> to secure all future requests (i.e., still vulnerable to a spoofing
> attack, but limiting the exposure to just the very first query).

Thanks, that's useful clarification.


More information about the dns-operations mailing list