DNSCurve
Encyclopedia
DNSCurve is a proposed new secure protocol for the Domain Name System
(DNS), designed by Daniel J. Bernstein
. The basic idea is to define a secure new transport layer protocol to replace TCP, called CurveCP, using elliptic curve cryptography
on top of UDP then doing DNS queries inside CurveCP. Because DNSCurve uses DNS CNAME
records to prepend the CurveCP elliptic curve cryptography public keys to the DNS names of the DNS servers, Bernstein argues that the speed advantage of elliptic curve cryptography is fast enough and that DNSCurve could be implemented on the Internet much easier than DNSSEC
.
DNSCurve appears to be more similar in concept to TSIG
(securing communication with name servers) rather than DNSSEC
(securing DNS records themselves). There are some significant differences between DNSCurve and TSIG, however. TSIG frequently needs to switch to the more expensive TCP transport, while DNSCurve is designed to keep the packets smaller. TSIG is also not typically used for all queries, but primarily for updating DNS records. TSIG does just authentication, while DNSCurve does both authentication and encryption. Finally, DNSCurve includes a scalable key distribution scheme, while TSIG is much more limited.
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
(DNS), designed by Daniel J. Bernstein
Daniel J. Bernstein
Daniel Julius Bernstein is a mathematician, cryptologist, programmer, and professor of mathematics at the University of Illinois at Chicago...
. The basic idea is to define a secure new transport layer protocol to replace TCP, called CurveCP, using elliptic curve cryptography
Elliptic curve cryptography
Elliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S...
on top of UDP then doing DNS queries inside CurveCP. Because DNSCurve uses DNS CNAME
CNAME record
A CNAME record or Canonical Name record is a type of resource record in the Domain Name System that specifies that the domain name is an alias of another, canonical domain name. This helps when running multiple services from a single IP address...
records to prepend the CurveCP elliptic curve cryptography public keys to the DNS names of the DNS servers, Bernstein argues that the speed advantage of elliptic curve cryptography is fast enough and that DNSCurve could be implemented on the Internet much easier than DNSSEC
DNSSEC
The Domain Name System Security Extensions is a suite of Internet Engineering Task Force specifications for securing certain kinds of information provided by the Domain Name System as used on Internet Protocol networks...
.
DNSCurve appears to be more similar in concept to TSIG
TSIG
TSIG is a computer networking protocol definedin RFC 2845. It is used primarily by the Domain Name System to provide a means of authenticating updates to a Dynamic DNS database, although it can also be used between servers and for regular queries...
(securing communication with name servers) rather than DNSSEC
DNSSEC
The Domain Name System Security Extensions is a suite of Internet Engineering Task Force specifications for securing certain kinds of information provided by the Domain Name System as used on Internet Protocol networks...
(securing DNS records themselves). There are some significant differences between DNSCurve and TSIG, however. TSIG frequently needs to switch to the more expensive TCP transport, while DNSCurve is designed to keep the packets smaller. TSIG is also not typically used for all queries, but primarily for updating DNS records. TSIG does just authentication, while DNSCurve does both authentication and encryption. Finally, DNSCurve includes a scalable key distribution scheme, while TSIG is much more limited.
External links
- Official website
- High-speed cryptography and DNSCurve, a June 2009 presentation by the author
- DNSCurve: Usable security for DNS, an August 2008 presentation by the author
- draft-dempsky-dnscurve-01 Propsed standard "DNSCurve: Link-Level Security for the Domain Name System", sent by M. Dempsky (from OpenDNSOpenDNSOpenDNS is a DNS resolution service. OpenDNS extends DNS adding features such as misspelling correction, phishing protection, and optional content filtering...
) to IETF (updated in February 2010) - OpenDNS adopts DNSCurve, official OpenDNS blog entry
- dnscurv.es, a public test domain running DNSCurve-enabled authoritative servers
- CurveDNS, DNSCurve forwarding name server