[Unbound-users] unbound 1.4.6 released

Paul Wouters paul at xelerance.com
Tue Aug 3 22:32:25 UTC 2010


On Tue, 3 Aug 2010, Leen Besselink wrote:

> How about TSIG ? I think it can be used (if an stub-resolver like ldns 
> implements it) to secure 'the last mile'.

I'd rather see validating resolvers using a forwarder mechanism so we don't
have to trust ISP/random wifi nameservers at all.

> Did you also see this idea by Dan Kaminsky ? I thought it was pretty smart.
>
> It takes part of the idea from dnscurve and combines it with DNSSEC to get 
> faster/more DNSSEC deployment:
>
> http://recursion.com/chain.pdf

It's cute, but I don't think its really needed anymore. The cool thing about
re-using the NS record was not so much to just provide a pubkey in dnscurve,
but to provide privacy. Dan's NSDS record does not do that. The competitive
nature of the registry/registrar model will ensure most of them will support DS
records before any NSDS code has been written and well tested (IMHO)

Paul



More information about the Unbound-users mailing list