DNSCurve
| application | DNSCurve | ||||
| transport | UDP | TCP | |||
| Internet | IP ( IPv4 , IPv6 ) | ||||
| Network access | Ethernet |
Token bus |
Token ring |
FDDI | ... |
DNSCurve is a technology for the secure resolution of domain names in IP addresses.
The author of the protocol proposal published in August 2008 is the cryptologist Professor Daniel J. Bernstein , who also presented the TCP counterpart CurveCP at the 27th Chaos Communication Congress 2010 .
Goals and functioning
The objectives of the procedure include improving the confidentiality , integrity and availability of the domain name system . DNSCurve is an alternative to DNSSEC .
DNSCurve uses an asymmetric elliptic curve cryptosystem to authenticate name servers . The public key is transmitted using self-certifying names, i.e. the public key is encoded as part of the domain name. Cross-zone security is established in that the NS delegations and glue records also contain the public keys of the subordinate zone. The key exchange between the zones is carried out manually by the zone operator.
Up to now, DNSCurve has not provided a central, trustworthy body in the hierarchical domain namespace. In order to distribute the public keys at the higher levels such as the root domain or the top-level domains , Bernstein suggests decentralized lists from Trust Anchors or a peer-to-peer-based approach.
In addition to authentication, the asymmetric cryptosystem is used to negotiate a symmetric key for point-to-point communication between the resolver and the name server. DNSCurve messages are provided with a Message Authentication Code and encrypted with a symmetrical cryptosystem .
criticism
Dan Kaminsky criticizes DNSCurve for the planned key distribution. Kaminsky sees the abandonment of a central, trustworthy body as an insoluble problem according to Zooko's triangle . The proposed solutions for the decentralized distribution of Trust Anchors are not safe. Other problems with DNSCurve mentioned by Kaminsky are a limited ability for DNS caching and the necessity of online signing , which requires the keeping of the private key on all authoritative name servers . However, this is the case with u. a. TLS encryption commonly used for web servers is also the case, and the risk of key theft can be limited by using an HSM .
See also
- DNS over HTTPS (DoH)
- Domain Name System Security Extensions (DNSSEC)
- DNS-based Authentication of Named Entities (DANE)
Individual evidence
- ↑ http://www.dnscurve.org . June 22, 2009.
- ↑ Dan Kaminsky: DNSSEC Interlude 2: DJB @ CCC (English), January 5, 2011, accessed on March 6, 2011.