OpenDNS today announced it has adopted DNSCurve to secure DNS

Alan Clegg aclegg at isc.org
Wed Feb 24 15:23:36 UTC 2010


Joe Baptista wrote:

> Thats not the case with DNScurve. Again I stress - over 20 billion
> requests per day at OpenDNS are DNScurve compatible.The traffic in
> DNSSEC is chicken feed compared to DNScurve.

Joe,

The fact that queries hit servers that are DNScurve capable does not
mean that they are taking any advantage of the DNScurve protocol.

I'm sure that there are more "DO bit" queries in the world than DNScurve
label queries on any given day -- and not only DO bit queries, but
queries that hit servers that are DNSSEC capable.

The fact that DNScurve allows OpenDNS to continue modifying responses
while "proving" that their answers are authentic tells me that there is
a gaping hole in the DNScurve protocol...

Follow the money.  OpenDNS has fought against DNSSEC because it
prohibits their "Intelligent Navigation" (Typo correction) and
redirection of google...  They "approve" of DNScurve because it can be
subverted.

 ; <<>> DiG 9.7.0 <<>> @208.67.222.222 www.google.com
 [...]
 ;; ANSWER SECTION:
 www.google.com.  30 IN	CNAME	 google.navigation.opendns.com.
 google.navigation.opendns.com. 30 IN	A	208.69.32.230
 google.navigation.opendns.com. 30 IN	A	208.69.32.231

That's not the google I was looking for...

I'm in no way saying that BIND won't at some point in the future support
DNScurve, I'm just saying that to try to prove the need by pointing to
OpenDNS is not the justification that is needed.

AlanC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100224/bc6f8587/attachment.bin>


More information about the bind-users mailing list