[dns-operations] OpenDNS adopts DNSCurve

Matthew Dempsky matthew at dempsky.org
Thu Feb 25 22:34:32 UTC 2010

On Thu, Feb 25, 2010 at 12:27 PM, Paul Vixie <vixie at isc.org> wrote:
>> Also, since this is being done to secure the last hop instead of DNSSEC,
>> do I understand correctly that it won't guarantee "end-to-end" security?
> no, that's not correct.  i recommend a thorough re-reading of RFC 2931.

Reading RFC 2931 a second time, I still don't see any mention of how
it interacts with DNSSEC other than defining a new use for SIG records
for authenticating transactions.

To make sure there's no confusion regarding the issue at hand: are you
claiming that a SIG(0)-capable (but otherwise DNSSEC-ignorant) stub
resolver can send a query for www.isc.org to an untrusted but
DNSSEC-enabled DNS recursive resolver and be able to detect if that
recursive resolver has tampered with the response data?

More information about the dns-operations mailing list