[Pdns-users] PowerDNS & DNSSEC!

Leen Besselink leen at consolejunkie.net
Wed Jul 15 17:27:07 UTC 2009

On Thu, Jul 16, 2009 at 03:08:33AM +1000, Duane at e164 dot org wrote:
> Stephane Bortzmeyer wrote:

Hi Duane and Stephane,

> > On Wed, Jul 15, 2009 at 02:59:58AM +1000,
> >  Duane at e164 dot org <duane at e164.org> wrote 
> >  a message of 62 lines which said:
> > 
> >> On the other hand do you know of any "exciting" development with DNScurve?
> > 
> > What's the relationship? DNSSEC secures the data, DNScurve the channel
> > (like TLS, IPsec, TSIG, etc). So, DNScurve is not a replacement for
> > DNSSEC, for instance, it does not protect against a rogue resolver (or
> > secondary name server).
> DNSSEC doesn't provide privacy, DNScurve is supposed to provide both
> verifiection and privacy, but since there is no implementation there has
> been little discussion on it which is unfortunate.
> Just like there is a lot of reasons for privacy of web sessions the
> powers that be don't want to offer users the same privacy for their DNS
> requests.
> Reasons for not wanting to offer privacy included acknowledging that
> various governments would oppose it and DNSSEC specifically has no
> potential for privacy in the specs.
> That said since DNSSEC does involves crypto for signing, the same tech
> could in theory be used for privacy, and that annoys/scares what ever
> govt agencies and one potential reason why any sort of DNS crypto has
> taken this long to get to this point.

My guess is, that would be the US-government ? I know the other governments
also had something else to complain about, the signing of the root and the
agency that is allowed to do so.

Because alternative roots are not (easily) possible with DNSSEC I presume.

I guess you could only make a signed copy or unsigned alt. root.

> -- 
> Best regards,
>  Duane
> http://www.freeauth.org - Enterprise Two Factor Authentication
> http://www.nodedb.com - Think globally, network locally
> http://www.sydneywireless.com - Telecommunications Freedom
> http://e164.org - Global Communication for the 21st Century
> "In the long run the pessimist may be proved right,
>     but the optimist has a better time on the trip."
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

New things are always on the horizon.

More information about the Pdns-users mailing list