Signed using a pair of static keys? So...it is authenticated then? Or are they more like SSH keys/self-signed certs where you just trust the key belongs to who you think you're talking to the first time?
SSH is an authenticated protocol. The trust anchor scheme SSH uses is "key continuity". The same model has been proposed as a replacement for TLS CA certs.
DNSCurve doesn't specify a key management scheme, but to the extent you want to call a bunch of web pages on Bernstein's site a "spec", it specifies "static keys". Static keys are a perfectly viable trust anchor scheme; like they say about routing, "if you can get away with it, the best protocol is static".
The trust anchor scheme SSH uses is "key continuity"
There is also RFC4255 which allows people to publish fingerprints of their SSH server public key in DNSSEC secured "SSHFP" RRs.
If you have a resolver which supports DNSSEC, you can run this command:
ssh -o "VerifyHostKeyDNS yes" grepular.com
You wont be prompted to verify the fingerprint as usual, because OpenSSH will already have done that verification using the DNS. You also know for sure that grepular.com has resolved to the correct IP address.
There is also "VerifyHostKeyDNS ask", which just displays the result of the lookup, but still allows you to confirm the fingerprint.
DNSSEC allows you to do stuff like this because it secures the integrity of the record all the way from the authoratitive DNS server to the users resolver.
There's also DANE (still going through the standards process) which allows you to publish a fingerprint of your SSL certificate on a domain/port basis, in DNSSEC secured DNS. If you install a Firefox addon named "Extended DNSSEC Validator", visit https://grepular.com/ and click the lock button to the left of the address bar, you will notice it says:
"Domainname is secured by DNSSEC and the certificate is validated by CA and DNSSEC"
This is because I'm following the latest draft of the DANE protocol. Will be nice when the spec is finalised and browser support becomes native. I don't like that any CA can currently generate a cert for my domain.
Another benefit that DNSSEC brings is with PKA records. I publish a record in the DNS which contains a URL to my public PGP key, and its fingerprint. You can automatically download my key and encrypt something using it by typing:
Replacing "example.com" with "grepular.com". Because I also have DNSSEC set up on my domain, if you have a DNSSEC supporting resolver, you know that the fingerprint you've received hasn't been tampered with on the way.
Of course, somebody could compromise my DNS server or the end users resolver. I'm not claiming that DNSSEC is a perfect solution. All I'm saying, is that the integrity that it provides to DNS lookups is massively valuable.
[edit2] Another benefit I forgot to mention. I use third party DNS slaves for redundancy. Because I'm using DNSSEC, those third parties can't serve up different records to the ones I configured, either on purpose or because they've been compromised. Well, they could, but DNSSEC supporting resolvers would just SERVFAIL the modified responses.
