On 11/25/2014 6:28 AM, Edward Ned Harvey (blu) wrote:
Based on my understanding of DNSSEC, it doesn't add security except in esoteric edge cases.
DNSSEC exists to solve one problem: cache poisoning. It does so by digitally signing entire zones. That's not security; it's authenticity. If you're expecting security from DNSSEC then your expectations have already been shattered. As an aside, I don't consider cache poisoning to be an edge case.
DNSCurve authenticates and encrypts DNS traffic using strong, fast crypto. So far, OpenDNS is the only major adopter.
-- Rich P. _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
