[dns-operations] OpenDNS adopts DNSCurve

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Feb 25 08:31:06 UTC 2010

On Wed, Feb 24, 2010 at 12:20:44PM -0600,
 Adam Stasiniewicz <adam at adamstas.com> wrote 
 a message of 46 lines which said:

> The reason I ask is because I am wondering how man-in-the-middle
> attacks are mitigated/prevented (or if they're not).

MITM attacks are not prevented by DNScurve. Its proponents regard this
as a feature, not a bug:


> Hamstrings modern uses: High traffic DNS servers can't handle
> signing every response packet, so they need to pre-compute
> signatures. This limits how companies like Akamai and Google or
> projects like the NTP Pool can use DNS for global load balancing and
> routing users to their nearest servers. It also fundamentally
> hampers services like OpenDNS, which use DNS to provide content
> filtering and search services.

As Crist Clark explained very well: DNScurve just provides channel
protection (like SIG(0) or IPsec) and therefore does not protect
against a lying middleman.

More information about the dns-operations mailing list