[dns-operations] OpenDNS adopts DNSCurve

Shumon Huque shuque at isc.upenn.edu
Thu Feb 25 20:43:03 UTC 2010


On Thu, Feb 25, 2010 at 05:22:44PM +0000, Paul Vixie wrote:
> > Date: Thu, 25 Feb 2010 12:52:10 +0000
> > From: Tony Finch <dot at dotat.at>
> > As far as I can tell it's still unclear how the stub to recursive hop is
> > going to be secured in practice (TSIG or SIG(0)? How will key
> > distribution work?) even though the spread of wireless connectivity makes
> > this crucially important.
> 
> i think it's going to have to be SIG(0), because the only way to distribute
> a TSIG key would be DHCP, which is itself unsecure.  SIG(0) can be managed
> securely (see RFC 5011.)

There are actually more important concerns with TSIG. Even if DHCP
could be secured (in theory there is an RFC but that's a topic of
another prolonged discussion), TSIG is a symmetric key. To be secure 
you'd need to distribute 1 TSIG key per stub resolver. Otherwise you've 
given each stub the ability to forge responses from the recursive resolver 
to every other stub configured with that same key. Do we really want
to manage gazillions of TSIG keys on the recursive resolver?

--Shumon.



More information about the dns-operations mailing list