LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

DNSCurve: an alternative to DNSSEC

DNSCurve: an alternative to DNSSEC

Posted Jul 15, 2009 0:57 UTC (Wed) by marka (guest, #59568)
Parent article: DNSCurve: an alternative to DNSSEC

DNSCurve and DNSSEC DO NOT address the same issues. Only someone that doesn't understand the strengths and weakness of both would see one as a replacement for the other.

(Log in to post comments)

DNSCurve: an alternative to DNSSEC

Posted Jul 15, 2009 1:05 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]

so educate us rather than just making a statement like this

also, just because neither one is a complete superset of the other doesn't mean that it isn't a case of either/or

I don't think that I've heard anyone advocating using both.

DNSCurve: an alternative to DNSSEC

Posted Jul 16, 2009 8:47 UTC (Thu) by forthy (guest, #1525) [Link]

I don't know what the original poster does want to explain, but here's my take:

DNSCurve protects the communication with the authoritive DNS server. I.e. if you do a fully recursive query, you get an authoritive and protected answer. However, that is not how DNS is supposed to work. DNS is usually implemented as distributed cache - you ask your lokal DNS cache, which forwards unknown queries to the provider's cache, which in turn does recursive queries when necessary. This model takes a lot of load from the root servers, though breaking the provider's cache with censorship and other net-nanny-like government regulation will cause more people to implement their own recursive querying DNS server. If everybody does, because DNSCurve requires that, .com would not have 5 million clients per day, but 500 million clients. And an awful lot more queries.

This distributed cache is the model DNSSEC supports - by presigning the records. DNS records have a TTL, so "replay attacks" aren't attacks, anyway (they are part of the design of the whole DNS system!). You have to wait for the TTL to expire before you can be sure that record changes have propagated.

Completely unrelated is that ECC is a better asymmetric encryption system than RSA; but as usual, "just good enough" plus network effects is what wins.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds