OpenDNS today announced it has adopted DNSCurve to secure DNS

Paul Wouters paul at xelerance.com
Thu Feb 25 16:25:26 UTC 2010


On Thu, 25 Feb 2010, Eugene Crosser wrote:

> Right now, as far as I am concerned, the main obstacle to more widespread
> adoption on DNSSEC is the lack of procedure to establish trust between your zone
> and the TLD. Even if my zone is signed, and it's in .org which is signed too, I
> have no (googlable) way to get my DS included into the TLD zone.

Registrars are working on this. It requires them to update EPP etc. I am not sure
if .org already accepts DS records via EPP, but I know others (eg opensrs) have
started taken steps to implement this in their interface to the users.

There are some corner cases that need to be solved, such as what to do when a
domain moves from one DNS zone operator to another. Usually private keys cannot
be handed over, so this might require multiple DS record support, etc.

See further http://dnsseccoalition.org/website/

> Of course dlv.isc.org exsits, but I think it's publicly perceived as a testbed
> rather than a production anchor.

It is production, not a testbed. And useful for anyone who wants to put their DS
into it. The only thing missing there is easy access to a bulk submission interface.

Paul



More information about the bind-users mailing list