[dns-operations] OpenDNS adopts DNSCurve

Paul Vixie vixie at isc.org
Wed Feb 24 22:25:57 UTC 2010


> Date: Wed, 24 Feb 2010 14:04:55 -0800
> From: Matthew Dempsky <matthew at dempsky.org>
> 
> In my experience, resource strapped DNS recursive resolvers are merely
> forwarders, and therefore have no use for maintaining DNSCurve trust
> anchors anyway.  For other setups, I think the cost of occasionally
> downloading a file via HTTP and doing a quick signature verification is
> perfectly reasonable.

my experience differs.  "resource strapped" is not what i said.  for the
vast number of autonomous in-house non-outsourced caching resolvers out
there, adding validation per DNSSEC is no big deal.  these are rackmount
servers with virtual memory.  however, FTP'ing the root zone and checking
the PGP signatures on stuff is a lot of aggregate (system wide) complexity
when you multiply the fetching by the population size.  not so RFC 5011.

so, there still seems to me to be a good impedence match between the
minimum complexity per node in system-wide dnscurve deployment, and the
capabilities of outsourced recursive dns providers.



More information about the dns-operations mailing list