[dns-operations] OpenDNS adopts DNSCurve

Paul Vixie vixie at isc.org
Thu Feb 25 22:43:59 UTC 2010

> Date: Thu, 25 Feb 2010 14:34:32 -0800
> From: Matthew Dempsky <matthew at dempsky.org>
> To make sure there's no confusion regarding the issue at hand: are you
> claiming that a SIG(0)-capable (but otherwise DNSSEC-ignorant) stub
> resolver can send a query for www.isc.org to an untrusted but
> DNSSEC-enabled DNS recursive resolver and be able to detect if that
> recursive resolver has tampered with the response data?

no.  the stub resolver would have to have a TA that allowed it to trust
its initial SIG(0) negotiation with the validating recursive resolver.

this is a burden very similar to needing a TA for the root zone, as is
true on the validating recursive resolver.

More information about the dns-operations mailing list