[dns-operations] OpenDNS adopts DNSCurve
vixie at isc.org
Fri Feb 26 00:37:56 UTC 2010
> Date: Thu, 25 Feb 2010 14:34:32 -0800
> From: Matthew Dempsky <matthew at dempsky.org>
> Reading RFC 2931 a second time, I still don't see any mention of how
> it interacts with DNSSEC other than defining a new use for SIG records
> for authenticating transactions.
> To make sure there's no confusion regarding the issue at hand: are you
> claiming that a SIG(0)-capable (but otherwise DNSSEC-ignorant) stub
> resolver can send a query for www.isc.org to an untrusted but
> DNSSEC-enabled DNS recursive resolver and be able to detect if that
> recursive resolver has tampered with the response data?
no. the recursive nameserver could still do opendns-style monetization,
even while speaking DNSSEC to the authorities and SIG(0) to the stubs.
More information about the dns-operations