[dns-operations] OpenDNS adopts DNSCurve

Paul Vixie vixie at isc.org
Fri Feb 26 00:37:56 UTC 2010

> Date: Thu, 25 Feb 2010 14:34:32 -0800
> From: Matthew Dempsky <matthew at dempsky.org>
> Reading RFC 2931 a second time, I still don't see any mention of how
> it interacts with DNSSEC other than defining a new use for SIG records
> for authenticating transactions.


> To make sure there's no confusion regarding the issue at hand: are you
> claiming that a SIG(0)-capable (but otherwise DNSSEC-ignorant) stub
> resolver can send a query for www.isc.org to an untrusted but
> DNSSEC-enabled DNS recursive resolver and be able to detect if that
> recursive resolver has tampered with the response data?

no.  the recursive nameserver could still do opendns-style monetization,
even while speaking DNSSEC to the authorities and SIG(0) to the stubs.

More information about the dns-operations mailing list