[dns-operations] OpenDNS adopts DNSCurve
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Wed Feb 24 20:07:35 UTC 2010
On Wed, Feb 24, 2010 at 07:38:47PM +0000, Paul Vixie wrote:
> > Date: Wed, 24 Feb 2010 10:50:35 -0800
> > From: Matthew Dempsky <matthew at dempsky.org>
> >
> > It's the same situation as DNSSEC. Either it can make a secured
> > lookup to a parent server, it can be configured out-of-band with trust
> > anchors, or it can optimistically trust the first response and use it
> > to secure all future requests (i.e., still vulnerable to a spoofing
> > attack, but limiting the exposure to just the very first query).
>
> the trust anchor plan for DNSSEC is, sign the root, everybody configures
> a trusted key for the root, and RFC 5011 keeps it rolling thereafter. we
> are only using DLV during initial startup while there are still islands.
>
> what's the corresponding plan for DNSCurve?
> _______________________________________________
well.. based on my limited review of DNSCURVE, it provides
channel protection - much the same as TSIG or SIG(0). So
your question could just as easily be construed as ...
"What's the corresponding plan for TSIG?"
and there is the small problem of RFC5011 and shelf-life issues.
--bill
More information about the dns-operations
mailing list