2008/8/31 Joe Baptista <[EMAIL PROTECTED]>: > http://dnscurve.org/ > > comments?
I already made comments on namedroppers, so I will summarize it here: 1. no trust anchors in design, signatures seems to be loosely connected. Djb added page for TLD operators today, where he proposes signing .com and ISPs to keep local copies of root zone. But still DNSCurve doesn't protect you when your parent is not using DNSCurve (or DNSSEC), but you can get false sense of security (just read those pages). Unfortunatelly DNSCurve key is received by PODS - thus it's not protected 2. In it's ideal state it would change DNS to DNS over DNS-TXT. It would be nearly impossible to debug anything at all. And personally I don't like this type of encapsulation (it reminds me IP over DNS ;)). 3. Requirements on aDNS server computation power is raised. Now not only recursor, but also authoritative nameserver does crypto. Elliptic curve crypto may have less requirements on cpu cycles, but still it adds more burden on authoritative nameservers. Djb also proposes to change .com nameservers so they are grouped together. 4. I am not sure if labels like uz51gmc1jjicekrm676rorncvjpale915vhd94bj2fddj1be1ntbg5.root-servers.net make things more simpler. Ondrej. -- Ondřej Surý technický ředitel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americká 23,120 00 Praha 2,Czech Republic mailto:[EMAIL PROTECTED] http://nic.cz/ sip:[EMAIL PROTECTED] tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 ----------------------------------------- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
