

Securing DNS's 'Last Mile' - smountcastle
http://www.cricketondns.com/post.cfm/securing-dnssec-s-last-mile

======
smountcastle
In the year since that blog post, does anyone know of any OS vendors whose
stub resolvers support TSIG? The key distribution issue is a barrier, but I
would think that recursive DNS providers (like OpenDNS, Google, and others)
would be interested in differentiating their services by providing this
additional layer of protection.

One solution is to run a forwarding server on the customer's computer and use
TSIG to secure its communication with the recursive service, but this won't
work for every device in the household. I can't run a forwarding DNS server on
my iPad and I wouldn't want all of the devices in my house to have to funnel
their DNS through a single computer which could be off and break DNS.

Any ideas on how to solve this problem?

