OpenDNS today announced it has adopted DNSCurve to secure DNS

Joe Baptista baptista at publicroot.org
Wed Feb 24 03:54:59 UTC 2010


It would be nice to see it as an RFC. I agree with that. But from what I
know it will be a pretty cold day in hell before it becomes an RFC. I humbly
suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of
wackos. So it is unlikely he will ever be bothered to dance the IETF RFC
jig.

I do disagree with you that bind should only implement what is in the RFC.
Lets not forget the IETF has had 15 years to secure the DNS. The result is
the DNSSEC abortion. It has failed. This announcement today is a stiff well
deserved kick in the balls to the DNSSEC crowd.

We can not rely on the IETF for security. Commerce and simple common sense
communications are screaming for security solutions today. DNSCurve is
perfect and it works out of the box.

Folks. OpenDNS has set the DNS standard. We can start securing the DNS with
every new dnscurve upgrade to bind. Imagine how much money is being spent on
the DNSSEC make work project - time and energy wasted.

DNScurve installs - configures and runs. No need for a make work project.

agreed?

regards
joe baptista

On Tue, Feb 23, 2010 at 10:28 PM, Michael Sinatra <
michael at rancid.berkeley.edu> wrote:

> On 02/23/10 18:31, Joe Baptista wrote:
>
>> Now that OpenDNS the largest provider of public DNS supports DNSCurve
>>
>> http://twitter.com/joebaptista/status/9555178362
>>
>> Would it be possible to include DNScurve support in bind?
>>
>> thanks
>> joe baptista
>>
>
> I'd love to see BIND adopt DNScurve...when it becomes an RFC.  Until then,
> I'd prefer that BIND stick to the existing body of RFCs.  If DNScurve is
> important enough for the whole Internet to use, then it's important enough
> to drag it through the whole IETF process, political as it may or may not
> be.
>
> Personally, I think DNScurve misses the mark.  My concern, as someone who
> operates both authoritative and recursive servers, is that the data on the
> authority side be authentic end-to-end.  With DNSSEC, I can validate that
> that's true.
>
> DNScurve advocates, on the other hand, point out that DNS isn't encrypted.
>  Well, neither is the phone book.  So what?  I regard DNS as a public
> database, and it's more important to me that it be authentic--from the
> source--than obscurified.
>
> While I think the OpenDNS people (especially David U., their founder) have
> a huge amount of clue, I think they're barking up the wrong tree here.
>
> michael
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100223/65e69706/attachment.html>


More information about the bind-users mailing list