On 08/04/2010 12:32 AM, Paul Wouters wrote: > On Tue, 3 Aug 2010, Leen Besselink wrote: > >> How about TSIG ? I think it can be used (if an stub-resolver like >> ldns implements it) to secure 'the last mile'. > > I'd rather see validating resolvers using a forwarder mechanism so we > don't > have to trust ISP/random wifi nameservers at all. > >> Did you also see this idea by Dan Kaminsky ? I thought it was pretty >> smart. >> >> It takes part of the idea from dnscurve and combines it with DNSSEC >> to get faster/more DNSSEC deployment: >> >> http://recursion.com/chain.pdf > > It's cute, but I don't think its really needed anymore. The cool thing > about > re-using the NS record was not so much to just provide a pubkey in > dnscurve, > but to provide privacy. Dan's NSDS record does not do that. The > competitive > nature of the registry/registrar model will ensure most of them will > support DS > records before any NSDS code has been written and well tested (IMHO) > > Paul > I know they are both just a stopgap, but atleast now we know you don't expect to implement it.