[dns-operations] OpenDNS adopts DNSCurve
Tony Finch
dot at dotat.at
Thu Feb 25 12:52:10 UTC 2010
On Thu, 25 Feb 2010, Lutz Donnerhacke wrote:
>
> http://blog.opendns.com/2010/02/23/opendns-dnscurve/#comment-338794
> :
> : DNSSEC prevents OpenDNS from redirecting NXDOMAIN DNS responses to their own
> : search engine (and ads). DNSSEC prevents OpenDNS from implementing the
> : “kid-safe” environment.
Not really. OpenDNS's clients are stub resolvers, which (currently) do
not do DNSSEC validation. So even if OpenDNS run validating recursive
servers they can still return modified data to their clients.
As far as I can tell it's still unclear how the stub to recursive hop is
going to be secured in practice (TSIG or SIG(0)? How will key distribution
work?) even though the spread of wireless connectivity makes this
crucially important.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.
More information about the dns-operations
mailing list