[dns-operations] OpenDNS adopts DNSCurve
Stephane Bortzmeyer
bortzmeyer at nic.fr
Thu Feb 25 08:31:06 UTC 2010
On Wed, Feb 24, 2010 at 12:20:44PM -0600,
Adam Stasiniewicz <adam at adamstas.com> wrote
a message of 46 lines which said:
> The reason I ask is because I am wondering how man-in-the-middle
> attacks are mitigated/prevented (or if they're not).
MITM attacks are not prevented by DNScurve. Its proponents regard this
as a feature, not a bug:
http://blog.opendns.com/2010/02/23/opendns-dnscurve/
> Hamstrings modern uses: High traffic DNS servers can't handle
> signing every response packet, so they need to pre-compute
> signatures. This limits how companies like Akamai and Google or
> projects like the NTP Pool can use DNS for global load balancing and
> routing users to their nearest servers. It also fundamentally
> hampers services like OpenDNS, which use DNS to provide content
> filtering and search services.
As Crist Clark explained very well: DNScurve just provides channel
protection (like SIG(0) or IPsec) and therefore does not protect
against a lying middleman.
More information about the dns-operations
mailing list