Ed, On Sun, Dec 11, 2011 at 05:11:45PM +0000, Ed W wrote: > On 08/12/2011 15:48, Jason wrote: > > I saw this announcement [2] crop up, with code here [3] and I was > > wondering about adding the feature directly into dnsmasq. Obviously, > > opendns is the first to implement it, but hopefully others will roll it > > out as well. > ... > > [1] > > http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2010q2/003922.html > > [2] > > http://it.slashdot.org/story/11/12/08/1353203/opendns-releases-dns-encryption-tool > > [3] https://github.com/opendns/dnscrypt-proxy > > > I'm a touch cynical about anything that says cryptography, but doesn't > have a mathematician obviously behind it and endorsing it. It's just > too easy to invent crypto that you can't break, but doesn't withstand > proper prying eyes/minds.
Very true. > The counter argument tends to be that something is better than > nothing, but there is a hidden cost which is that of writing and > maintaining code There be dragons... > So with that in mind, are there any discussions for/against this move by > opendns? I believe that the original idea comes via DJB? Yes, based on the commit history (hint, hint) [1], they've incorporated suggestions from a recent review of his. Some of the code was originally his as well [2], NaCl. > I read that opendns have picked an unusual curve to run with as the > standard crypto choice? Are their any benchmarks on performance? Not that I've seen. > Cool idea - just curious to see how it's going to get set in stone for > final implementation? Server code needs to be released? Convert to library with a stable api so many other dns projects can integrate it without rolling their own code? thx, Jason. [1] https://github.com/opendns/dnscrypt-proxy/commit/628eaa9dfc2fd1b5d55ead505efb1febf6227feb [2] https://github.com/opendns/dnscrypt-proxy/blob/bc0125e24fde91d8a6c60d7976d5a6bd4b85d9ab/COPYING