As a disinterested third party...
On Mon Jun 1 16:09:39 2009, Mark Andrews wrote:
> Totally different from DNSSEC which indeed uses chains of trust -
i.e. root
> to tld to sld etc.etc.
And DNSCurve uses chains of trust from root servers to tld
servers to sld servers etc. etc.
After skimming DNSCurve to get the general idea, I agree with Mark
here. I don't see any particular way in which the NS records (which
specify the keys) from the parent are themselves validated, other
than by trusting the parent domain's nameservers, which essentially
means they give equivalent protection to DNSSEC from that standpoint.
I did wonder whether there was additional scope for "leap of faith",
but I'm not sure even that exists.
Moreover, since DNSCurve only operates hop-by-hop, rather than
end-to-end (in the sense of the DNS resolution process as a whole) it
relies on a hop-by-hop trust arrangement. In particular, my servers
here would have to use either a trusted resolver, or no resolver at
all.
I do note that DNSCurve looks like a neat hack, just one that, on
closer inspection, turns out to have no obvious benefits in this
particular respect.
Dave.
--
Dave Cridland - mailto:dave@xxxxxxxxxxxx - xmpp:dwd@xxxxxxxxxxxxxxxxx
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf