On Wed, 5 Aug 2009 15:07:30 -0400 (EDT) "John R. Levine" <jo...@iecc.com> wrote:
> >> 5 is 'edns ping', but it was effectively blocked because people > >> thought DNSSEC would be easier to do, or demanded that EDNS PING > >> (http://edns-ping.org) would offer everything that DNSSEC offered. > > > > I'm surprised you failed to mention > > http://dnscurve.org/crypto.html, which is always brought up, but > > never seems to solve the problems mentioned. > > dnscurve looks like a swell idea, but I wouldn't put it in the > category of a hack as straightforward as the ones I listed. Also, at > this point there appears to be neither code nor an implementable spec > available since Dan is still fiddling with it. > As I understand it, dnscurve protects transmissions, not objects. That's not the way DNS operates today, what with N levels of cache. It may or may not be better, but it's a much bigger delta to today's systems and practices than DNSSEC is. --Steve Bellovin, http://www.cs.columbia.edu/~smb
