OpenDNS today announced it has adopted DNSCurve to secure DNS

Now that OpenDNS the largest provider of public DNS supports DNSCurve http://twitter.com/joebaptista/status/9555178362 Would it be possible to include DNScurve support in bind? thanks joe baptista ___ bind-users mailing list bind-users@lists.isc.org ht

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On 02/23/10 18:31, Joe Baptista wrote: Now that OpenDNS the largest provider of public DNS supports DNSCurve http://twitter.com/joebaptista/status/9555178362 Would it be possible to include DNScurve support in bind? thanks joe baptista I'd love to see BIND adopt DNScurve...when it becomes an

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

It would be nice to see it as an RFC. I agree with that. But from what I know it will be a pretty cold day in hell before it becomes an RFC. I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of wackos. So it is unlikely he will ever be bothered to dance the IETF RFC jig.

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

> I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is > full of wackos. So it is unlikely he will ever be bothered to dance the > IETF RFC jig. Is there a requirement that Dr. Bernstein must personally do the dancing? Let someone else write the RFC, if it needs writing. Whil

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On 02/23/10 19:54, Joe Baptista wrote: It would be nice to see it as an RFC. I agree with that. But from what I know it will be a pretty cold day in hell before it becomes an RFC. I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of wackos. So it is unlikely he will ev

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, Feb 24, 2010 at 06:06:16AM +, Evan Hunt wrote a message of 22 lines which said: > Is there a requirement that Dr. Bernstein must personally do the dancing? > Let someone else write the RFC, if it needs writing. Also, there are not only RFCs. Standards can be described by other mea

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Tue, Feb 23, 2010 at 07:28:48PM -0800, Michael Sinatra wrote a message of 34 lines which said: > While I think the OpenDNS people (especially David U., their > founder) have a huge amount of clue, I think they're barking up the > wrong tree here. On the other hand, they are crystal-clear:

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

reply below On Wed, Feb 24, 2010 at 1:06 AM, Evan Hunt wrote: > > > I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is > > full of wackos. So it is unlikely he will ever be bothered to dance the > > IETF RFC jig. > > Is there a requirement that Dr. Bernstein must personally

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, Feb 24, 2010 at 1:13 AM, Michael Sinatra < mich...@rancid.berkeley.edu> wrote: > As someone who both signs his production zones and does DNSSEC validation, > I can assure you that DNSSEC works. But you've done as good job as I can > imagine in making the case for DNScurve. > Done. regar

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On 02/24/10 01:25, Jonathan de Boyne Pollard wrote: DNScurve advocates, on the other hand, point out that DNS isn't encrypted. Well, neither is the phone book. So what? So the protocol is vulnerable to both local and remote forgery attacks, just like other unencrypted protocols

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Joe Baptista wrote: > Thats not the case with DNScurve. Again I stress - over 20 billion > requests per day at OpenDNS are DNScurve compatible.The traffic in > DNSSEC is chicken feed compared to DNScurve. Joe, The fact that queries hit servers that are DNScurve capable does not mean that they ar

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Tue, 23 Feb 2010, Joe Baptista wrote: > > Lets not forget the IETF has had 15 years to secure the DNS. The result is > the DNSSEC abortion. It has failed. It looks pretty lively to me. DNSSEC has multiple interoperable implementations, and it will be deployed in the most important zones this ye

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

> Thats not the case with DNScurve. Again I stress - over 20 billion > requests per day at OpenDNS are DNScurve compatible. The traffic in > DNSSEC is chicken feed compared to DNScurve. ORG and GOV and quite a lot of the ccTLD's are "DNSSEC compatible", so I don't actually think it'd be much of a

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, 24 Feb 2010, Tony Finch wrote: On Tue, 23 Feb 2010, Joe Baptista wrote: Lets not forget the IETF has had 15 years to secure the DNS. The result is the DNSSEC abortion. It has failed. It looks pretty lively to me. DNSSEC has multiple interoperable implementations, and it will be deplo

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Feb 24 2010, Evan Hunt wrote: Thats not the case with DNScurve. Again I stress - over 20 billion requests per day at OpenDNS are DNScurve compatible. The traffic in DNSSEC is chicken feed compared to DNScurve. ORG and GOV and quite a lot of the ccTLD's are "DNSSEC compatible", so I don't ac

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

In article , Chris Thompson wrote: > On Feb 24 2010, Evan Hunt wrote: > > >> Thats not the case with DNScurve. Again I stress - over 20 billion > >> requests per day at OpenDNS are DNScurve compatible. The traffic in > >> DNSSEC is chicken feed compared to DNScurve. > > > >ORG and GOV and quite

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Joe Baptista wrote: >Someone else has written the RFC draft - which see http://bit.ly/b5mFkV That draft has this text, "Expires: February 27, 2010" [3 days from today]. I am not sure what an expiration date means officially on a draft RFC.

RE: OpenDNS today announced it has adopted DNSCurve to secure DNS

om: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of bsfin...@anl.gov Sent: Wednesday, February 24, 2010 3:49 PM To: bind-users@lists.isc.org Subject: Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, Feb 24, 2010 at 11:33 AM, Evan Hunt wrote: > > Thats not the case with DNScurve. Again I stress - over 20 billion > > requests per day at OpenDNS are DNScurve compatible. The traffic in > > DNSSEC is chicken feed compared to DNScurve. > > ORG and GOV and quite a lot of the ccTLD's are "DN

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Joe Baptista wrote: > [] I guess that depends on if DNSSEC > is turned on by default in BIND. Incidentally - is it? dnssec-enable yes; and dnssec-validation yes; are the defaults since BIND 9.5 Serving signed zones requires signed zone data to serve. Validation requir

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, Feb 24, 2010 at 10:08 PM, Alan Clegg wrote: > > dnssec-enable yes; > and > dnssec-validation yes; > > are the defaults since BIND 9.5 > > How do I turn it off. Thanks joe ___ bind-users mailing list bind-users@lists.isc.org https://lists.is

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Joe Baptista wrote: > dnssec-enable yes; > and > dnssec-validation yes; > > are the defaults since BIND 9.5 > > > How do I turn it off. Since you edited out the most important part of my post, I'll repeat it here before I answer your question: Serving signed zones requ

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

> It's going to be interesting to watch. I guess that depends on if DNSSEC is > turned on by default in BIND. Incidentally - is it? That depends on what you mean by "turned on". The DNSSEC protocol is enabled, and the DO bit is set in queries, so authoritative servers with signed data will send i

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Thu, 25 Feb 2010, Evan Hunt wrote: It's going to be interesting to watch. I guess that depends on if DNSSEC is turned on by default in BIND. Incidentally - is it? That depends on what you mean by "turned on". The DNSSEC protocol is enabled, and the DO bit is set in queries, so authoritativ

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Joe Baptista wrote: > ORG and GOV and quite a lot of the ccTLD's are "DNSSEC compatible", so I > don't actually think it'd be much of a horserace if compatibility is all > you're looking for. > > > I agree they are both DNSSEC compatible but .GOV has only deployed > DNSSEC in 20% of

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, Feb 24, 2010 at 05:42:06PM +, Sam Wilson wrote a message of 28 lines which said: > Has anyone found any uz5* servers out there yet? Zero (0) among the 40301 name servers listed in .FR, for instance (1.6 million domains). Zero for opendns.com, dnscurve.org, etc. __

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Stephane Bortzmeyer wrote: > Sam Wilson wrote > >> Has anyone found any uz5* servers out there yet? > > Zero for opendns.com, dnscurve.org, etc. One: > dempsky.org. 259200 IN NS > uz5p4utwsxu5p3r9xrw0ygddw2hxh7bkhd0vdwtbt92lf058ny1p79.dempsky.org. > dempsky.org.

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

* Eugene Crosser: > Right now, as far as I am concerned, the main obstacle to more > widespread adoption on DNSSEC is the lack of procedure to establish > trust between your zone and the TLD. There's no standard procedure for NS and glue management, either, and it still seems to work quite well.

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

* Sam Wilson: > Has anyone found any uz5* servers out there yet? node.pk, dempsky.org has such name servers. I thought there were more. Has the magic prefix changed? -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-9

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

In article , Florian Weimer wrote: > * Sam Wilson: > > > Has anyone found any uz5* servers out there yet? > > node.pk, dempsky.org has such name servers. I thought there were > more. Has the magic prefix changed? OK. I found none in 130 MB of cache from 3 servers. Clearly the wave hasn't

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Wed, Feb 24, 2010 at 10:23 PM, Alan Clegg wrote: > Joe Baptista wrote: > > > dnssec-enable yes; > > and > > dnssec-validation yes; > > > > are the defaults since BIND 9.5 > > > > > > How do I turn it off. > > Since you edited out the most important part of my post, I'll rep

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On Thu, 25 Feb 2010, Eugene Crosser wrote: Right now, as far as I am concerned, the main obstacle to more widespread adoption on DNSSEC is the lack of procedure to establish trust between your zone and the TLD. Even if my zone is signed, and it's in .org which is signed too, I have no (googlable

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

> > Or, if you think you might accidentally sign your zones or configure > > trust anchors, you can: > > > > dnssec-enable no; > > dnssec-validation no; > > > > OK - so if I do the above - will that prevent my recursive server from doing > DNSSEC if it gets information from a DNSSEC signed

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Jonathan de Boyne Pollard wrote: > That's also nothing to do with DNSCurve. You weren't making a DNSCurve > query there. You were simply querying, with an ordinary DNS query, a > proxy DNS server that is under someone else's control and getting the > view of the DNS namespace that that someone e

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Michael Sinatra wrote: > On 02/24/10 01:25, Jonathan de Boyne Pollard wrote: >>> >>> >>> DNScurve advocates, on the other hand, point out that DNS isn't >>> encrypted. Well, neither is the phone book. So what? >>> >> So the protocol is vulnerable to both local and remote forgery attacks, >> just li

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

On 3/7/10 10:46 AM, Danny Mayer wrote: Autokey is not a cryptographic signature protocol. It *is* a authentication protocol for the server only and there are a number of exchanges that need to be done to complete the authentication of the server. You cannot compare this with DNSSEC and nothing i

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

> Date: Mon, 08 Mar 2010 10:03:26 -0800 > From: Michael Sinatra > Sender: bind-users-bounces+oberman=es@lists.isc.org > > On 3/7/10 10:46 AM, Danny Mayer wrote: > > > Autokey is not a cryptographic signature protocol. It *is* a > > authentication protocol for the server only and there are a

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

Kevin Oberman wrote: >> Date: Mon, 08 Mar 2010 10:03:26 -0800 >> From: Michael Sinatra >> Sender: bind-users-bounces+oberman=es@lists.isc.org >> >> On 3/7/10 10:46 AM, Danny Mayer wrote: >> >>> Autokey is not a cryptographic signature protocol. It *is* a >>> authentication protocol for the ser