Basic summary: DNSSEC adds new DNS records in order to provide end-to-end security; DNSCurve adds protocol level security instead, but does so in a far more cryptographically sound way.
Personally I'm not happy with either solution. Getting the cryptography right is important, but end-to-end security is also important -- the ideal outcome here would be if a new DNSSEC2 was created which used djb's curve25519 instead of RSA1024, but I don't think this is very likely to happen any time soon.
1 comment
[ 2.9 ms ] story [ 14.9 ms ] threadPersonally I'm not happy with either solution. Getting the cryptography right is important, but end-to-end security is also important -- the ideal outcome here would be if a new DNSSEC2 was created which used djb's curve25519 instead of RSA1024, but I don't think this is very likely to happen any time soon.