- DNSCurve
-
DNSCurve is a proposed new secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein. The basic idea is to define a secure new transport layer protocol to replace TCP, called CurveCP, using elliptic curve cryptography on top of UDP then doing DNS queries inside CurveCP. Because DNSCurve uses DNS CNAME records to prepend the CurveCP elliptic curve cryptography public keys to the DNS names of the DNS servers, Bernstein argues that the speed advantage of elliptic curve cryptography is fast enough and that DNSCurve could be implemented on the Internet much easier than DNSSEC.[1][2]
DNSCurve appears to be more similar in concept to TSIG (securing communication with name servers) rather than DNSSEC (securing DNS records themselves). There are some significant differences between DNSCurve and TSIG, however. TSIG frequently needs to switch to the more expensive TCP transport, while DNSCurve is designed to keep the packets smaller. TSIG is also not typically used for all queries, but primarily for updating DNS records. TSIG does just authentication, while DNSCurve does both authentication and encryption. Finally, DNSCurve includes a scalable key distribution scheme, while TSIG is much more limited.
Notes
- ^ Daniel J. Bernstein. "High-speed cryptography". http://marc.info/?l=djbdns&m=122011940521548&w=2.
- ^ Daniel J. Bernstein. "27C3 Talk by Dan Bernstein: High-speed high-security cryptography: encrypting and authenticating the whole Internet.". http://vimeo.com/18279777.
External links
- Official website
- High-speed cryptography and DNSCurve, a June 2009 presentation by the author
- DNSCurve: Usable security for DNS, an August 2008 presentation by the author
- draft-dempsky-dnscurve-01 Propsed standard "DNSCurve: Link-Level Security for the Domain Name System", sent by M. Dempsky (from OpenDNS) to IETF (updated in February 2010)
- OpenDNS adopts DNSCurve, official OpenDNS blog entry
- dnscurv.es, a public test domain running DNSCurve-enabled authoritative servers
- CurveDNS, DNSCurve forwarding name server
This computer networking article is a stub. You can help Wikipedia by expanding it.