[dns-operations] OpenDNS adopts DNSCurve

Paul Vixie vixie at isc.org
Thu Feb 25 20:27:09 UTC 2010


> Date: Thu, 25 Feb 2010 10:27:03 -0800
> From: Matthew Dempsky <matthew at dempsky.org>
> 
> > i think it's going to have to be SIG(0), because the only way to distribute
> > a TSIG key would be DHCP, which is itself unsecure.
> 
> I'm not familiar with SIG(0), but it looks like this would require the
> resolver to perform a public key signature operation in response to
> each stub resolver request, right?

actually it's at response time not request time, but sure.

> Also, since this is being done to secure the last hop instead of DNSSEC,
> do I understand correctly that it won't guarantee "end-to-end" security?

no, that's not correct.  i recommend a thorough re-reading of RFC 2931.



More information about the dns-operations mailing list