On 08/04/2010 12:32 AM, Paul Wouters wrote:
On Tue, 3 Aug 2010, Leen Besselink wrote:
How about TSIG ? I think it can be used (if an stub-resolver like
ldns implements it) to secure 'the last mile'.
I'd rather see validating resolvers using a forwarder mechanism so we
don't
have to trust ISP/random wifi nameservers at all.
Did you also see this idea by Dan Kaminsky ? I thought it was pretty
smart.
It takes part of the idea from dnscurve and combines it with DNSSEC
to get faster/more DNSSEC deployment:
http://recursion.com/chain.pdf
It's cute, but I don't think its really needed anymore. The cool thing
about
re-using the NS record was not so much to just provide a pubkey in
dnscurve,
but to provide privacy. Dan's NSDS record does not do that. The
competitive
nature of the registry/registrar model will ensure most of them will
support DS
records before any NSDS code has been written and well tested (IMHO)
Paul
I know they are both just a stopgap, but atleast now we know you don't
expect to implement it.
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
