Tony Finch wrote:
On Thu, 25 Feb 2010, Martin Rex wrote:
What does DNSCurve additionally provide
compared to a combination of traditional DNS with IPsec?
That appears to be an illusion.
My impression is that DNScurve can only distribute public keys
of authoritative nameservers, not of the _much_ more common
caching nameservers, such as you find on firewalls/gateways,
e.g. every DSL-router.
I'm not sure that all of the nameservers operated by ISPs for
use with their customers are authoritative nameservers throughout.
And it appears to me that you either have to entirely abandon
recursive queries with DNScurve, or consider whatever DNScurve
authoritative nameserver you ask for a recursive query to
be authoritative for then entire DNS universe.
If there is one thing that I like about the idea of signed
RRs in DNSsec, then it is the limitation of the authority
of that keys to DNS zones. Creating fake keys and fake signed RRs
is still possible for an officially authoritative nameserver
for his delegated zones ("subdomains"), but not upwards
the DNS hierarchy and into other DNS zones.
(I beg your pardon if I may have misunderstood the technology,
and where I may be using inappropriate terminology.)
Ietf mailing list