>So if everything needs TLS anyways, why forklift in a new DNS when we could instead work on making TLS better?
For one thing, not everything uses TLS (even if it should). TLS normally requires support by the application, securing DNS could be done in the OS. You could fix DNS and have at least that fixed even for all the legacy applications that nobody is ever going to update to use TLS. It would also make IPSec easier to deploy to the same effect because it would allow the DNS to be used for key distribution. And likewise for distributing ssh host keys.
I'll give you that DNSSEC is poorly designed, but I don't necessarily want "DNSSEC" in particular, I'm just looking for something that allows client devices to securely verify DNS query responses. Does DNSCurve do that? The Wikipedia entry doesn't clearly distinguish whether it's securing the connection to the server or the query response. In other words, does DNSCurve allow you to detect if your ISP's DNS resolver is compromised?
For one thing, not everything uses TLS (even if it should). TLS normally requires support by the application, securing DNS could be done in the OS. You could fix DNS and have at least that fixed even for all the legacy applications that nobody is ever going to update to use TLS. It would also make IPSec easier to deploy to the same effect because it would allow the DNS to be used for key distribution. And likewise for distributing ssh host keys.
I'll give you that DNSSEC is poorly designed, but I don't necessarily want "DNSSEC" in particular, I'm just looking for something that allows client devices to securely verify DNS query responses. Does DNSCurve do that? The Wikipedia entry doesn't clearly distinguish whether it's securing the connection to the server or the query response. In other words, does DNSCurve allow you to detect if your ISP's DNS resolver is compromised?