[dns-operations] OpenDNS adopts DNSCurve
Paul Vixie
vixie at isc.org
Thu Feb 25 20:27:09 UTC 2010
> Date: Thu, 25 Feb 2010 10:27:03 -0800
> From: Matthew Dempsky <matthew at dempsky.org>
>
> > i think it's going to have to be SIG(0), because the only way to distribute
> > a TSIG key would be DHCP, which is itself unsecure.
>
> I'm not familiar with SIG(0), but it looks like this would require the
> resolver to perform a public key signature operation in response to
> each stub resolver request, right?
actually it's at response time not request time, but sure.
> Also, since this is being done to secure the last hop instead of DNSSEC,
> do I understand correctly that it won't guarantee "end-to-end" security?
no, that's not correct. i recommend a thorough re-reading of RFC 2931.
More information about the dns-operations
mailing list