[dns-operations] OpenDNS adopts DNSCurve
Matthew Dempsky
matthew at dempsky.org
Thu Feb 25 22:34:32 UTC 2010
On Thu, Feb 25, 2010 at 12:27 PM, Paul Vixie <vixie at isc.org> wrote:
>> Also, since this is being done to secure the last hop instead of DNSSEC,
>> do I understand correctly that it won't guarantee "end-to-end" security?
>
> no, that's not correct. i recommend a thorough re-reading of RFC 2931.
Reading RFC 2931 a second time, I still don't see any mention of how
it interacts with DNSSEC other than defining a new use for SIG records
for authenticating transactions.
To make sure there's no confusion regarding the issue at hand: are you
claiming that a SIG(0)-capable (but otherwise DNSSEC-ignorant) stub
resolver can send a query for www.isc.org to an untrusted but
DNSSEC-enabled DNS recursive resolver and be able to detect if that
recursive resolver has tampered with the response data?
More information about the dns-operations
mailing list