[dns-operations] Introducing DNSCrypt

[Paul Wouters]

On Tue, 6 Dec 2011, Stephane Bortzmeyer wrote:

>> IPSEC
>
> IPsec is clearly not deployed. There are many reasons for that but one
> of the most important seem to be the difficulty to distribute
> keys. Relying on IPsec to secure DNS is not realistic.

You only need 1 tunnel to your trusted resolver.....

The trick of any "tunnel to your secure resolver" is that often you
need split-tunnel to deal with local-only DNS entries. This is also
not addressed with curves.

Paul