[dns-operations] OpenDNS adopts DNSCurve

Paul Vixie vixie at isc.org
Wed Feb 24 22:02:55 UTC 2010

> Date: Wed, 24 Feb 2010 20:07:35 +0000
> From: bmanning at vacation.karoshi.com
> > what's the corresponding plan for DNSCurve?
> 	well.. based on my limited review of DNSCURVE, it provides
> 	channel protection - much the same as TSIG or SIG(0).  So
> 	your question could just as easily be construed as ...
> 	"What's the corresponding plan for TSIG?"

i disagree.

TSIG has no key publication mechanism and is intended for bilateral use,
so it has no "trust anchor problem."

SIG(0) can use DNSSEC secure keys which would make it available for any
channel between cooperating entities, and has no "trust anchor problem"
beyond the one it inherits from DNSSEC itself, which is solved in the way
i described.

in contrast, dnscurve puts public keys into nameserver names.  validators
can, according to matthew, have trust anchors.  so to channel-secure the
whole DNS would require changing the root nameserver names to have public
keys encoded in them.

More information about the dns-operations mailing list