DNSCurve: an alternative to DNSSEC

Posted Jul 16, 2009 8:47 UTC (Thu) by forthy (guest, #1525)
In reply to: DNSCurve: an alternative to DNSSEC by dlang
Parent article: DNSCurve: an alternative to DNSSEC

I don't know what the original poster does want to explain, but here's my take:

DNSCurve protects the communication with the authoritive DNS server. I.e. if you do a fully recursive query, you get an authoritive and protected answer. However, that is not how DNS is supposed to work. DNS is usually implemented as distributed cache - you ask your lokal DNS cache, which forwards unknown queries to the provider's cache, which in turn does recursive queries when necessary. This model takes a lot of load from the root servers, though breaking the provider's cache with censorship and other net-nanny-like government regulation will cause more people to implement their own recursive querying DNS server. If everybody does, because DNSCurve requires that, .com would not have 5 million clients per day, but 500 million clients. And an awful lot more queries.

This distributed cache is the model DNSSEC supports - by presigning the records. DNS records have a TTL, so "replay attacks" aren't attacks, anyway (they are part of the design of the whole DNS system!). You have to wait for the TTL to expire before you can be sure that record changes have propagated.

Completely unrelated is that ECC is a better asymmetric encryption system than RSA; but as usual, "just good enough" plus network effects is what wins.