It would be nice to see it as an RFC. I agree with that. But from what I know it will be a pretty cold day in hell before it becomes an RFC. I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of wackos. So it is unlikely he will ever be bothered to dance the IETF RFC jig.
I do disagree with you that bind should only implement what is in the RFC. Lets not forget the IETF has had 15 years to secure the DNS. The result is the DNSSEC abortion. It has failed. This announcement today is a stiff well deserved kick in the balls to the DNSSEC crowd. We can not rely on the IETF for security. Commerce and simple common sense communications are screaming for security solutions today. DNSCurve is perfect and it works out of the box. Folks. OpenDNS has set the DNS standard. We can start securing the DNS with every new dnscurve upgrade to bind. Imagine how much money is being spent on the DNSSEC make work project - time and energy wasted. DNScurve installs - configures and runs. No need for a make work project. agreed? regards joe baptista On Tue, Feb 23, 2010 at 10:28 PM, Michael Sinatra < mich...@rancid.berkeley.edu> wrote: > On 02/23/10 18:31, Joe Baptista wrote: > >> Now that OpenDNS the largest provider of public DNS supports DNSCurve >> >> http://twitter.com/joebaptista/status/9555178362 >> >> Would it be possible to include DNScurve support in bind? >> >> thanks >> joe baptista >> > > I'd love to see BIND adopt DNScurve...when it becomes an RFC. Until then, > I'd prefer that BIND stick to the existing body of RFCs. If DNScurve is > important enough for the whole Internet to use, then it's important enough > to drag it through the whole IETF process, political as it may or may not > be. > > Personally, I think DNScurve misses the mark. My concern, as someone who > operates both authoritative and recursive servers, is that the data on the > authority side be authentic end-to-end. With DNSSEC, I can validate that > that's true. > > DNScurve advocates, on the other hand, point out that DNS isn't encrypted. > Well, neither is the phone book. So what? I regard DNS as a public > database, and it's more important to me that it be authentic--from the > source--than obscurified. > > While I think the OpenDNS people (especially David U., their founder) have > a huge amount of clue, I think they're barking up the wrong tree here. > > michael > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users