[dns-operations] OpenDNS adopts DNSCurve

Matthew Dempsky matthew at dempsky.org
Wed Feb 24 19:52:28 UTC 2010

On Wed, Feb 24, 2010 at 11:38 AM, Paul Vixie <vixie at isc.org> wrote:
> the trust anchor plan for DNSSEC is, sign the root, everybody configures
> a trusted key for the root, and RFC 5011 keeps it rolling thereafter.  we
> are only using DLV during initial startup while there are still islands.
> what's the corresponding plan for DNSCurve?

The same general plan works for DNSCurve.

An authoritative server can today setup DNSCurve, and benefit from the
"optimistically trust the first response" mechanism, and already have
better security than DNS currently provides.  If the parent server
later adds DNSCurve support, resolvers will automatically use the
"secured lookup to a parent server" mechanism.  (Of course, the parent
then has to similarly worry.)

Orthogonal to that, there's no concrete plan yet for automating trust
anchors yet, and ideas are welcome.

The root zone file is available with PGP signatures, so if a TLD were
to support DNSCurve, recursive servers could extract the appropriate
NS records from the root zone file to setup as a trust anchor.

Also, some TLD zone files (in particular, .com and .net) are also
available for download with PGP signatures, and a trusted party with
access to them could republish just the zones with NS records
indicating DNSCurve support.

More information about the dns-operations mailing list