

Paul Vixie: Whither DNSCurve? [2010] - sadpluto
http://www.isc.org/community/blog/201002/whither-dnscurve

======
sadpluto
Could security experts give their take on this? There are some strong
statements, such as the last sentence: "Because DNSCurve does not do this, and
because the problems DNSCurve actually does solve are pretty well solved by
UDP source port randomization and will be entirely eradicated by DNSSEC, ISC
is not investing in DNSCurve at all."

I have a few questions, in case anybody is interested in any of them:

1) Would full deployment of IPsec render DNSCurve unnecessary?

2) Isn't "full security" impossible until DNS queries are encrypted? I'm
reading the ongoing comments about HSTS [+] and can't help to think that, if
you assume the network is a malicious medium, then any unencrypted DNS query,
_including DNSSEC_ , can receive a compromised response. But then again, Paul
Vixie's quoted sentence seems to counter my reasoning/understanding.

[+] <http://news.ycombinator.com/item?id=4266626>

~~~
tptacek
I can go on and on about this particular subject, but will refrain from doing
so unless there's some demand for yet another DNS & security debate on HN.

I voted the submission up, by the way; thanks for posting it. I hadn't read
it.

