OpenDNS today announced it has adopted DNSCurve to secure DNS

Alan Clegg aclegg at isc.org
Fri Feb 26 13:24:10 UTC 2010


Jonathan de Boyne Pollard wrote:

> That's also nothing to do with DNSCurve.  You weren't making a DNSCurve
> query there.  You were simply querying, with an ordinary DNS query, a
> proxy DNS server that is under someone else's control and getting the
> view of the DNS namespace that that someone else chose to give to you.
> OpenDNS have "subverted" you (inasmuch as one can call accepting control
> of the DNS namespace from people who deliberately hand it over to them
> "subversion") entirely without DNSCurve.  This is simply the well-known
> risk of using other people's proxy servers.  There's nothing new here,
> and nothing related to DNSCurve here.

I fully understand that this was not a DNSCurve query.  My point was
that this "ability" of OpenDNS will go away if and when they choose a
technology that actually provides end-to-end validation of the DNS
query/response in question.

Why would OpenDNS adopt a technology that destroys their own business
model?  They argue against DNSSEC, yet they implement DNSCurve.

Interesting...

Anyway, this has gone far enough off-topic ("bind-users") that I'm going
to curtail my responses here.  Feel free to follow up with me directly
if you'd like.

AlanC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100226/36acdf06/attachment.bin>


More information about the bind-users mailing list