[dns-operations] DNSCrypt.

Vernon Schryver vjs at rhyolite.com
Fri May 31 16:03:58 UTC 2013

> From: Ken A <ka at pacific.net>

> What is keeping nameserver vendors from building this into servers?

> > <http://www.opendns.com/technology/dnscrypt/>
> > <http://dnscrypt.org/>
> > <https://github.com/Cofyc/dnscrypt-wrapper>

Preventing men in the middle raises key distribution questions,
so I went looking for answers.
    The following information has to be provided to the proxy:
    - The provider name (defaults to 2.dnscrypt-cert.opendns.com.)
    - The provider public key (defaults to the current one for OpenDNS).


    The proxy doesn't cache replies. Neither does it perform any DNSSEC
    validation yet.
    This is better handled by a separate process or by linking libunbound.

That makes the proxy+stub resolver and all of its implicit practical
problems sound a lot like a stub resolver with a copy of the root
DNSSEC key doing its own DNSSEC validation.

I see commercial advantages in this mechanism to OpenDNS in locking
in customers.  (I intend no offense to OpenDNS.  Every business
does and should look for ways to retain customers.)
I don't understand why DNSCrypt is better than stub resolvers that
do DNSSEC validation.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list