DNSCurve

DNSCurve

DNSCurve is a proposed new secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein. The basic idea is to define a secure new transport layer protocol to replace TCP, called CurveCP, using elliptic curve cryptography on top of UDP then doing DNS queries inside CurveCP. Because DNSCurve uses DNS CNAME records to prepend the CurveCP elliptic curve cryptography public keys to the DNS names of the DNS servers, Bernstein argues that the speed advantage of elliptic curve cryptography is fast enough and that DNSCurve could be implemented on the Internet much easier than DNSSEC.[1][2]

DNSCurve appears to be more similar in concept to TSIG (securing communication with name servers) rather than DNSSEC (securing DNS records themselves). There are some significant differences between DNSCurve and TSIG, however. TSIG frequently needs to switch to the more expensive TCP transport, while DNSCurve is designed to keep the packets smaller. TSIG is also not typically used for all queries, but primarily for updating DNS records. TSIG does just authentication, while DNSCurve does both authentication and encryption. Finally, DNSCurve includes a scalable key distribution scheme, while TSIG is much more limited.

Notes

  1. ^ Daniel J. Bernstein. "High-speed cryptography". http://marc.info/?l=djbdns&m=122011940521548&w=2. 
  2. ^ Daniel J. Bernstein. "27C3 Talk by Dan Bernstein: High-speed high-security cryptography: encrypting and authenticating the whole Internet.". http://vimeo.com/18279777. 

External links