[dns-operations] OpenDNS adopts DNSCurve
fweimer at bfk.de
Thu Feb 25 12:47:53 UTC 2010
* Tony Finch:
> On Thu, 25 Feb 2010, Stephane Bortzmeyer wrote:
>> > High traffic DNS servers can't handle signing every response packet,
>> > so they need to pre-compute signatures. This limits how companies like
>> > Akamai and Google or projects like the NTP Pool can use DNS for global
>> > load balancing and routing users to their nearest servers.
> I don't see why these kinds of special DNS servers can't sign all the
> possible RRsets they might return offline.
Yes, the amount of distinct responses is fairly small.
Some DNSBLs with macro expansion in TXT records are problematic,
though. One "fix" would move this sort of macro expansion into the
DNS client (the MTA).
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the dns-operations