DNSCurve

DNSCurve is a technique for safe resolution of domain names to IP addresses.

Author of the post in August 2008 protocol proposal is DNSSEC critic Daniel J. Bernstein, who in 2010 also the TCP counterpart CurveCP presented at the 27th Chaos Communication Congress.

Objectives and functioning

Objective of the procedure is to secure the name resolution without the weaknesses of DNSSEC.

DNSCurve uses an asymmetric elliptic curve cryptosystem to protect the confidentiality and integrity of the name resolution. The transmission of the public key is made by selbstzertifizierende name, that is the public key is encoded as part of the domain name. Cross-zone security is made by the public key of the child zone are included in the NS delegation and glue records also. The key exchange between zones is performed manually by the operator zone.

So far, no central, trusted authority is provided despite the hierarchical domain name space. To distribute the public key to the higher levels as the root domain or the top -level domains, Bernstein proposes decentralized lists of Trust Anchors or a peer-to- peer- based approach.

Criticism

Dan Kaminsky criticized, among others, the proposed key distribution to DNSCurve. Kaminsky sees in the absence of a central trusted authority an unsolvable by Zookos triangle problem. The proposed solutions for decentralized distribution of Trust Anchors are not sure. Other problems mentioned by Kaminsky of DNSCurve had a limited ability to DNS caching and the need for on-line signature, which requires the Provision of private key on all authoritative name servers.