Phillip, On Wed, 2010-02-24 at 10:00 -0500, Phillip Hallam-Baker wrote: > I took a look at DNSCurve. Some points: > > * It could certainly win. > * It is designed as a hack rather than an extension. > * It considers real world requirements that DNSSEC does not. > > On the 'winning' front. Have people noticed that the IETF has only > ever succeeded in developing security standards by appropriating > systems that had already defeated the IETF generated solution? PGP was > not developed in house, it was a reaction to PEM. SSL was developed by > Netscape. X.509 came from OSI. DNSCurve and DNSSEC are orthogonal, and solve different - if related - problems. DNSSEC declares out of scope: * the channel where DS records get added to the parent * encryption (which I think DNSCurve provides) DNSCurve declares out of scope: * the channel where the magic NS records get added to the parent * the channel where records get sent from the parent to the name servers in the RRSET * master or slave name server compromises * off-line secret key handling Depending on what you consider important, either technology may or may not be what you want. You could, in principle, use both, and it actually would provide different types of security. -- Shane _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf