Could security experts give their take on this? There are some strong statements, such as the last sentence: "Because DNSCurve does not do this, and because the problems DNSCurve actually does solve are pretty well solved by UDP source port randomization and will be entirely eradicated by DNSSEC, ISC is not investing in DNSCurve at all."
I have a few questions, in case anybody is interested in any of them:
1) Would full deployment of IPsec render DNSCurve unnecessary?
2) Isn't "full security" impossible until DNS queries are encrypted? I'm reading the ongoing comments about HSTS [+] and can't help to think that, if you assume the network is a malicious medium, then any unencrypted DNS query, including DNSSEC, can receive a compromised response. But then again, Paul Vixie's quoted sentence seems to counter my reasoning/understanding.
I can go on and on about this particular subject, but will refrain from doing so unless there's some demand for yet another DNS & security debate on HN.
I voted the submission up, by the way; thanks for posting it. I hadn't read it.
I have a few questions, in case anybody is interested in any of them:
1) Would full deployment of IPsec render DNSCurve unnecessary?
2) Isn't "full security" impossible until DNS queries are encrypted? I'm reading the ongoing comments about HSTS [+] and can't help to think that, if you assume the network is a malicious medium, then any unencrypted DNS query, including DNSSEC, can receive a compromised response. But then again, Paul Vixie's quoted sentence seems to counter my reasoning/understanding.
[+] http://news.ycombinator.com/item?id=4266626