[dns-operations] OpenDNS adopts DNSCurve
Lutz Donnerhacke
lutz at iks-jena.de
Thu Feb 25 20:10:59 UTC 2010
* Matthew Dempsky wrote:
> On Thu, Feb 25, 2010 at 9:22 AM, Paul Vixie <vixie at isc.org> wrote:
>> i think it's going to have to be SIG(0), because the only way to distribute
>> a TSIG key would be DHCP, which is itself unsecure.
>
> I'm not familiar with SIG(0), but it looks like this would require the
> resolver to perform a public key signature operation in response to
> each stub resolver request, right? Also, since this is being done to
> secure the last hop instead of DNSSEC, do I understand correctly that
> it won't guarantee "end-to-end" security?
Yes. The only difference to DNSCurve is, that SIG(0) is missing encryption.
More information about the dns-operations
mailing list