[dns-operations] OpenDNS adopts DNSCurve

Matthew Dempsky matthew at dempsky.org
Thu Feb 25 18:27:03 UTC 2010


On Thu, Feb 25, 2010 at 9:22 AM, Paul Vixie <vixie at isc.org> wrote:
> i think it's going to have to be SIG(0), because the only way to distribute
> a TSIG key would be DHCP, which is itself unsecure.

I'm not familiar with SIG(0), but it looks like this would require the
resolver to perform a public key signature operation in response to
each stub resolver request, right?  Also, since this is being done to
secure the last hop instead of DNSSEC, do I understand correctly that
it won't guarantee "end-to-end" security?



More information about the dns-operations mailing list