[dns-operations] Introducing DNSCrypt
Paul Hoffman
phoffman at proper.com
Tue Dec 6 17:40:01 UTC 2011
On Dec 6, 2011, at 9:01 AM, Stephane Bortzmeyer wrote:
> On Tue, Dec 06, 2011 at 02:26:55PM -0200,
> Rubens Kuhl <rubensk at nic.br> wrote
> a message of 107 lines which said:
>
>> IPSEC
>
> IPsec is clearly not deployed. There are many reasons for that but one
> of the most important seem to be the difficulty to distribute
> keys. Relying on IPsec to secure DNS is not realistic.
>
>> SSL
>
> You mean DTLS (the old SSL protocol requires TCP)? It is not widely
> deployed yet but seems an interesting approach.
Err, the protocol that OpenDNS is proposing is much less deployed than either IPsec or DTLS. IPsec and DTLS is "deployed" in every modern version of Linux and FreeBSD. That doesn't mean that they are operationally useful for DNS, but it also doesn't mean that inventing a new protocol will cause more deployment.
--Paul Hoffman
More information about the dns-operations
mailing list