[dns-operations] OpenDNS adopts DNSCurve
Paul Vixie
vixie at isc.org
Thu Feb 25 22:43:59 UTC 2010
> Date: Thu, 25 Feb 2010 14:34:32 -0800
> From: Matthew Dempsky <matthew at dempsky.org>
>
> To make sure there's no confusion regarding the issue at hand: are you
> claiming that a SIG(0)-capable (but otherwise DNSSEC-ignorant) stub
> resolver can send a query for www.isc.org to an untrusted but
> DNSSEC-enabled DNS recursive resolver and be able to detect if that
> recursive resolver has tampered with the response data?
no. the stub resolver would have to have a TA that allowed it to trust
its initial SIG(0) negotiation with the validating recursive resolver.
this is a burden very similar to needing a TA for the root zone, as is
true on the validating recursive resolver.
More information about the dns-operations
mailing list