OpenDNS today announced it has adopted DNSCurve to secure DNS

Paul Wouters paul at xelerance.com
Thu Feb 25 06:56:15 UTC 2010


On Thu, 25 Feb 2010, Evan Hunt wrote:

>> It's going to be interesting to watch. I guess that depends on if DNSSEC is
>> turned on by default in BIND. Incidentally - is it?
>
> That depends on what you mean by "turned on".  The DNSSEC protocol is
> enabled, and the DO bit is set in queries, so authoritative servers with
> signed data will send it.

The default in Fedora has been "on" with many keys and DLV since Fedora-12.
That's about 6 months now.

> (There is a built-in trust anchor for dlv.isc.org included with BIND 9.7,
> but you have to turn on a config option for it to be used, and that will
> not change.  We would like people to trust us, and we wanted to make it
> as easy as possible to do so, but we don't think we'd be worthy of trust
> if we made it the default.)

That's correct. But Fedora has tested and used the DLV, and it seems
very solid, though we are looking at one bootstrap issue with VPN we
have observed, where bind could not fetch the DLV's DNSKEY to validate.

But people who are waiting for DNSSEC to "get turned on" are denialists.

Paul



More information about the bind-users mailing list