Maintained by: NLnet Labs

[Unbound-users] unbound 1.4.6 released

Leen Besselink
Wed Aug 4 09:26:01 CEST 2010


On 08/04/2010 12:32 AM, Paul Wouters wrote:
> On Tue, 3 Aug 2010, Leen Besselink wrote:
>
>> How about TSIG ? I think it can be used (if an stub-resolver like 
>> ldns implements it) to secure 'the last mile'.
>
> I'd rather see validating resolvers using a forwarder mechanism so we 
> don't
> have to trust ISP/random wifi nameservers at all.
>
>> Did you also see this idea by Dan Kaminsky ? I thought it was pretty 
>> smart.
>>
>> It takes part of the idea from dnscurve and combines it with DNSSEC 
>> to get faster/more DNSSEC deployment:
>>
>> http://recursion.com/chain.pdf
>
> It's cute, but I don't think its really needed anymore. The cool thing 
> about
> re-using the NS record was not so much to just provide a pubkey in 
> dnscurve,
> but to provide privacy. Dan's NSDS record does not do that. The 
> competitive
> nature of the registry/registrar model will ensure most of them will 
> support DS
> records before any NSDS code has been written and well tested (IMHO)
>
> Paul
>
I know they are both just a stopgap, but atleast now we know you don't 
expect to implement it.