[dns-operations] OpenDNS adopts DNSCurve

Matthew Dempsky matthew at dempsky.org
Wed Feb 24 22:39:44 UTC 2010

On Wed, Feb 24, 2010 at 2:25 PM, Paul Vixie <vixie at isc.org> wrote:
> "resource strapped" is not what i said.

You said embedded.  When I think embedded, I think of something like a
Linksys WRT54G or similar.  One of those might be too resource
strapped to occasionally download a trust anchor file or to use
something DLV-like for distribute DNSCurve names, but then it's
probably not going to be doing DNSCurve anyway, which was my point.

> for the
> vast number of autonomous in-house non-outsourced caching resolvers out
> there, adding validation per DNSSEC is no big deal.

When you say "adding validation" do you mean writing their own DNSSEC
implementation, or do you mean upgrading their software to a
DNSSEC-supporting implementation?  Also, are you counting the effort
to upgrade stub resolvers to all do DNSSEC validation?

> these are rackmount servers with virtual memory.

Um, okay.

> however, FTP'ing the root zone and checking
> the PGP signatures on stuff is a lot of aggregate (system wide) complexity
> when you multiply the fetching by the population size.

You're saying this like DNSSEC validation and its trust anchors and
rollover scheme and DLV systems have no complexity, or that
downloading and verifying a file can't be automated and/or integrated
into resolvers.

Anyway, if distributing a zone file is so unpalatable, something
DLV-like would be feasible too.

More information about the dns-operations mailing list