Hi Paul, On 09/25/2013 08:34 PM, Paul Wouters wrote: > > What we don't need though is another dns-like protocol to do so. (and > definitely not dnscurve, as it does not support dns data authenticity, > only transport security)
You might be right about dnscurve, or maybe not. I dunno enough about it yet to be to be honest. But, as you know, DNSSEC is where the IETF has placed its bet for DNS data origin auth. Changing that would maybe require a seismic shift, so for this discussion I was assuming DNSSEC is the answer for data origin auth and just asking if it'd be useful to add confidentiality. So, the fact that dnscurve doesn't do what DNSSEC does isn't really a compelling argument here I think. Cheers, S. PS: Yes, we should all be doing stuff to encourage more deployment of DNSSEC, but I think that's a separate discussion, for other lists probably, even though DNSSEC deployment might make it harder to mount some attacks that are used in monitoring. _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
