[dns-operations] OpenDNS adopts DNSCurve
Joe Abley
jabley at hopcount.ca
Wed Feb 24 19:18:39 UTC 2010
On 2010-02-24, at 13:50, Matthew Dempsky wrote:
> On Wed, Feb 24, 2010 at 10:40 AM, Joe Abley <jabley at hopcount.ca> wrote:
>> It does seem from a quick review of draft-dempsky-dnscurve-00 that the link-layer security provided by DNSCurve depends on a previous, unsecured DNS lookup by the DNSCurve client to obtain the public key of the DNSCurve server.
>
> It's the same situation as DNSSEC. Either it can make a secured
> lookup to a parent server, it can be configured out-of-band with trust
> anchors, or it can optimistically trust the first response and use it
> to secure all future requests (i.e., still vulnerable to a spoofing
> attack, but limiting the exposure to just the very first query).
Thanks, that's useful clarification.
Joe
More information about the dns-operations
mailing list