[dns-operations] OpenDNS adopts DNSCurve

Paul Vixie vixie at isc.org
Wed Feb 24 19:38:47 UTC 2010

> Date: Wed, 24 Feb 2010 10:50:35 -0800
> From: Matthew Dempsky <matthew at dempsky.org>
> It's the same situation as DNSSEC.  Either it can make a secured
> lookup to a parent server, it can be configured out-of-band with trust
> anchors, or it can optimistically trust the first response and use it
> to secure all future requests (i.e., still vulnerable to a spoofing
> attack, but limiting the exposure to just the very first query).

the trust anchor plan for DNSSEC is, sign the root, everybody configures
a trusted key for the root, and RFC 5011 keeps it rolling thereafter.  we
are only using DLV during initial startup while there are still islands.

what's the corresponding plan for DNSCurve?

More information about the dns-operations mailing list