DNSCurve: an alternative to DNSSEC
Posted Jul 15, 2009 1:05 UTC (Wed) by dlang (subscriber, #313)
also, just because neither one is a complete superset of the other doesn't mean that it isn't a case of either/or
I don't think that I've heard anyone advocating using both.
Posted Jul 16, 2009 8:47 UTC (Thu) by forthy (guest, #1525)
I don't know what the original poster does want to explain, but here's
DNSCurve protects the communication with the authoritive DNS server.
I.e. if you do a fully recursive query, you get an authoritive and
protected answer. However, that is not how DNS is supposed to work. DNS is
usually implemented as distributed cache - you ask your lokal DNS cache,
which forwards unknown queries to the provider's cache, which in turn does
recursive queries when necessary. This model takes a lot of load from the
root servers, though breaking the provider's cache with censorship and
other net-nanny-like government regulation will cause more people to
implement their own recursive querying DNS server. If everybody does,
because DNSCurve requires that, .com would not have 5 million clients per
day, but 500 million clients. And an awful lot more queries.
This distributed cache is the model DNSSEC supports - by presigning the
records. DNS records have a TTL, so "replay attacks" aren't attacks,
anyway (they are part of the design of the whole DNS system!). You have to
wait for the TTL to expire before you can be sure that record changes have
Completely unrelated is that ECC is a better asymmetric encryption
system than RSA; but as usual, "just good enough" plus network effects is
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds