paul at cypherpunks.ca
Fri May 31 16:26:36 UTC 2013
On Fri, 31 May 2013, Vernon Schryver wrote:
> I don't understand why DNSCrypt is better than stub resolvers that
> do DNSSEC validation.
OpenDNS is filtering out malicious DNS for you. So you cannot run that
on the stub. You need a (secure) path to their servers to ensure you
only get their "certified DNS lies". Since it is changed from the
original, you cannot use DNSSEC yourself, although opendns can (and
maybe does?) do dnssec validation for you.
DNScrypt tries do give htem both a secure path and privacy. I just think
the privacy is a myth. The unbound TLS solution is something they could
use, except current implementation can only do 1 DNS query per TCP/TLS
connection. It's too slow. If we could keep the connection open and
pipeline that (or in the case for validating stubs, send an entire query
chain over that TCP session) speeds would improve dramatically.
More information about the dns-operations