On Mon, 13 Oct 2014, Paul Hoffman wrote:
Ummm, aren't we forgetting what is for many the much larger cons:
* The nameserver has to do a Diffie-Hellman key agreement with every relying
party, hugely increasing the CPU load.
* The private key must be online all the time.
* The private key must be shared by all the nameservers.
Remember: DNSSEC is sign-once-and-serve; DNScurve is
server-does-crypto-for-every-query.
Any dns privacy protocol that wants PFS + encrypted communication would need to
do that too?
Like if you picked TLS DHE.
Paul
ps. not an endorsement for dnscurve :)
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
