Comment Re:Misreported (Score 2, Interesting) 134
Yes, but not more then DNSSEC, which is a published, widely implemented, and tested system.
I disagree. DNSSEC isn't widely implemented, and the widest test had numerous problems.
DNSCurve is 100% compatible with DNS. There's nothing a firewall could do that would be compatible with DNS that is incompatible with DNSCurve.
DNSSEC is not.
DNSCurve trades off more compute resources and the need to have the signing key on the public DNS server to get encrypted DNS, while DNSSEC has a lower server compute load and can store the signing keys off the server, but communicates in the clear.
DNSCurve protects against denial of service attacks. It requires far less compute-power than DNSSEC.
It's hard to make a case for the need to protect the DNS traffic from sniffing, the threat is modification, not sniffing.
Rubbish. Even an amateur cryptographer would tell you that the more you know about the message, the easier it is to break it. Confidentiality protections reduce the amount of knowledge, and thus protect against attacks that are yet unknown.
I would like to see elliptic curve crypto standardized and used in DNSSEC as it will significantly save on the traffic needed, but that is something that can be easily changed later. DNSSEC is very extensible and designed with the future in mind.
I don't think you know what you're talking about.