On Oct 13, 2014, at 8:20 AM, Paul Wouters <[email protected]> wrote: > On Mon, 13 Oct 2014, Paul Hoffman wrote: > >> Ummm, aren't we forgetting what is for many the much larger cons: >> >> * The nameserver has to do a Diffie-Hellman key agreement with every relying >> party, hugely increasing the CPU load. >> * The private key must be online all the time. >> * The private key must be shared by all the nameservers. > >> Remember: DNSSEC is sign-once-and-serve; DNScurve is >> server-does-crypto-for-every-query. > > Any dns privacy protocol that wants PFS + encrypted communication would need > to do that too?
Yes, which is why this WG charter is focused only on the stub-to-recursive link. The private key for a recursive resolver that talks to the .com authoritative server has very different value than the private key for the .com zone. > ps. not an endorsement for dnscurve :) Good to hear. :-) --Paul Hoffman _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
