[dns-operations] OpenDNS adopts DNSCurve

Paul Vixie vixie at isc.org
Thu Feb 25 17:22:44 UTC 2010

> Date: Thu, 25 Feb 2010 12:52:10 +0000
> From: Tony Finch <dot at dotat.at>

> > DNSSEC prevents OpenDNS from redirecting NXDOMAIN DNS responses to
> > their own search engine (and ads). DNSSEC prevents OpenDNS from
> > implementing the “kid-safe” environment.
> Not really. OpenDNS's clients are stub resolvers, which (currently) do
> not do DNSSEC validation. So even if OpenDNS run validating recursive
> servers they can still return modified data to their clients.

agreed.  and given comcast's recent announcement about dnssec, i think it's
inevitable that opendns *will* turn on dnssec validation in their recursive
nameservers, even if they decide not to honour the AD or DO bits from their
clients.  failing to request and check dnssec signatures would be marketing
suicide once DNSSEC really gets rolling.

> As far as I can tell it's still unclear how the stub to recursive hop is
> going to be secured in practice (TSIG or SIG(0)? How will key
> distribution work?) even though the spread of wireless connectivity makes
> this crucially important.

i think it's going to have to be SIG(0), because the only way to distribute
a TSIG key would be DHCP, which is itself unsecure.  SIG(0) can be managed
securely (see RFC 5011.)

More information about the dns-operations mailing list