[dns-operations] OpenDNS adopts DNSCurve

Lutz Donnerhacke lutz at iks-jena.de
Thu Feb 25 20:10:59 UTC 2010


* Matthew Dempsky wrote:
> On Thu, Feb 25, 2010 at 9:22 AM, Paul Vixie <vixie at isc.org> wrote:
>> i think it's going to have to be SIG(0), because the only way to distribute
>> a TSIG key would be DHCP, which is itself unsecure.
>
> I'm not familiar with SIG(0), but it looks like this would require the
> resolver to perform a public key signature operation in response to
> each stub resolver request, right?  Also, since this is being done to
> secure the last hop instead of DNSSEC, do I understand correctly that
> it won't guarantee "end-to-end" security?

Yes. The only difference to DNSCurve is, that SIG(0) is missing encryption.



More information about the dns-operations mailing list