[dns-operations] OpenDNS adopts DNSCurve

Matthew Dempsky matthew at dempsky.org
Wed Feb 24 22:04:55 UTC 2010


On Wed, Feb 24, 2010 at 1:50 PM, Paul Vixie <vixie at isc.org> wrote:
> so, the root nameserver names would have to change?

If that's the means that clients receive the root nameserver's public keys, yes.

That's not to say that's the only way clients could receive the root
server keys.  E.g., they could be published as a TXT record in the
root zone file.

(Resolvers will of course still need some way to securely bootstrap
this process, whether by sending an initial DNSCurve priming query, or
DNSSEC verifying the TXT record, or extracting it from the PGP signed
root zone file.)

> this kind of heavy weight metadata model may fit the needs of opendns
> and other large scale outsourced recursive dns providers, but it won't
> fit into the small scale widely-distributed in-house / embedded model
> that DNS (and DNSSEC) uses today.  is that intentional?  (i ask, since
> you are both an opendns employee and a dnscurve developer.)

In my experience, resource strapped DNS recursive resolvers are merely
forwarders, and therefore have no use for maintaining DNSCurve trust
anchors anyway.  For other setups, I think the cost of occasionally
downloading a file via HTTP and doing a quick signature verification
is perfectly reasonable.



More information about the dns-operations mailing list