[dns-operations] OpenDNS adopts DNSCurve

George Barwood george.barwood at blueyonder.co.uk
Wed Feb 24 22:35:15 UTC 2010


----- Original Message ----- 
From: "Paul Vixie" <vixie at isc.org>
To: <dns-operations at mail.dns-oarc.net>
Sent: Wednesday, February 24, 2010 9:50 PM
Subject: Re: [dns-operations] OpenDNS adopts DNSCurve


> so, the root nameserver names would have to change?

Encoding public keys in nameserver names is unpleasant. It can be used for opportunistic
protection as described by Matthew, but is unsatisfying.

The clean solution ( adopted in QRP ) is to have a resource record that stores public keys.

Obviously you have to start from somewhere, so you need an out-of-band mechanism for
obtaining public keys for a set of root servers.

On a referral, the public key for a server is sent together with the A or AAAA records.

DNSCurve has a slight issue with key rollover - if you want to change the public key,
but want to support the old key for some period, the server has to try each public key in turn.

In QRP, there is a public key tag that solves this problem.

Another advantage of a resource record for public keys is that it allows large numbers
of domains that share the same name server to be protected without any administrative overhead.

All of this functionality is orthogonal to DNSSEC.


More information about the dns-operations mailing list