For the sake of completeness, as I have a personal interest in getting a DNSSEC-aware resolver to work on SME Server, I will update this older thread with a few links links from January 2011 about djb and DNSSEC:
http://vimeo.com/18417770 - video of djb's talk at the 27th CCC ripping into DNSSEC and talking about his own proposed DNSCurve
http://dankaminsky.com/2011/01/05/djb-ccc/ - where Dan Kaminsky goes into great detail refuting many of the points that djb brings up (the comments are useful to read, too)
http://marc.info/?l=djbdns&m=129434351607605&w=2 - where djb refutes one of Dan K's points and dismisses much of that blog post as riddled with errors
http://dankaminsky.com/2011/01/07/cachewars/ - where Dan K responds
The net result of all of that is simply this -> I do not expect that we will ever see a DNSSEC implementation in djb's dnscache.
This is unfortunate as there is now (Jan 2012, a year after all those talks) much greater momentum behind DNSSEC - most of the major TLDs have signed their zones and each week brings news of more ccTLDs signing their zones. Comcast just made a huge announcement here in the US making DNSSEC-aware DNS resolvers available to their ~18 million customers. Many companies are looking into signing their domains.... and the movement continues...
However, djb's opinion of DNSSEC is EXTREMELY clear and for that reason I would not expect changes to dnscache.
For those of us who want DNSSEC, other options for DNS servers that support DNSSEC exist, of course, such as the Unbound name server (
http://unbound.net/ ) but that would involve more modification to SME Server than I personally am interested in undertaking. So... no DNSSEC for now...
21 Replies
6837 Views