[dns-operations] DNSCrypt.

Joe Abley jabley at hopcount.ca
Fri May 31 15:16:08 UTC 2013


On 2013-05-31, at 11:02, Ken A <ka at pacific.net> wrote:

> What is keeping nameserver vendors from building this into servers?

DNSCrypt provides channel security. The rhetoric surrounding it for a long time promoted its use as a replacement for DNSSEC, and that promotion faltered because it's not an obvious replacement (DNSCrypt and DNSSEC do different things).

As a replacement for TSIG or SIG(0) between stub resolvers and upstream validators it might have a use. But "replacement" is the wrong word, because nobody secures those channels today; this leaves DNSCrypt looking like a solution to a problem that nobody is really acknowledging out loud that they have.

DNSCrypt is quite clever, I think. I don't think it's a lack of cleverness that is stopping it from making progress. OpenDNS arguably have a better shot at encouraging its deployment than the original authors, since OpenDNS have paying customers to talk to (and are no longer talking about it in terms of replacing DNSSEC).


Joe




More information about the dns-operations mailing list