DNSCurve for DNS administrators

DNSCurve: Usable security for DNS

Introduction to DNSCurve DNSCurve for DNS administrators DNSCurve for top-level domains DNSCurve for DNS software authors Cryptography in DNSCurve Comparison of DNSSEC and DNSCurve

DNSCurve for DNS administrators

The DNSCurve project adds link-level public-key protection to DNS packets. This page discusses DNSCurve from the perspective of a DNS administrator.

DNSCurve for incoming DNS data

You have to upgrade your DNS cache (a "recursive server" such as dnscache or PowerDNS Recursor or BIND or MaraDNS or Nominum CNS or Unbound) to a DNS cache that supports DNSCurve.

No extra cache configuration is required; the DNS cache will figure out for itself when a server supports DNSCurve. No extra firewall configuration is required (if you have your cache behind a firewall); DNSCurve requests and responses are, from a firewall's perspective, normal DNS packets. Network bandwidth remains essentially unchanged; DNSCurve puts some extra information into packets to DNSCurve servers but does not use extra packets.

DNSCurve for outgoing DNS data

You could upgrade your DNS server (an "authoritative server" such as tinydns or PowerDNS Server or BIND or NSD or MaraDNS or Nominum ANS) to a DNS server that supports DNSCurve. However, you can instead install a DNSCurve forwarder without changing your DNS server. This installation has five steps:
  • Install the DNSCurve forwarder on a new IP address. If you install the forwarder on the same computer as your existing DNS server then you need to put it on a different IP address from the existing DNS server.
  • Configure the DNSCurve forwarder to forward to your existing DNS server's IP address.
  • Add, in your DNS data, a special DNSCurve server name for the DNSCurve forwarder. The name is specific to this DNSCurve forwarder and is automatically generated during installation of the forwarder.
  • Add the same DNSCurve server name in your parent DNS data.
  • After a week, remove the old non-DNSCurve server names.
DNSCurve caches will now start encrypting and authenticating packets to your forwarder. You don't need to change any other DNS data. You don't need to change your procedures for updating DNS data.

For example, let's say you're the nytimes.com DNS administrator, with a DNS server on IP address 199.239.137.15. Here is how you would add support for DNSCurve:

  • Install the DNSCurve forwarder on a new IP address, for example 199.239.137.201.
  • Configure the DNSCurve forwarder to forward to IP address 199.239.137.15.
  • Add 
         .nytimes.com:199.239.137.201:uz5xgm1kx1zj8xsh51zp315k0rw7dcsgyxqh2sl7g8tjg25ltcvhyw.nytimes.com
    (in tinydns format) or 
         nytimes.com. IN NS uz5xgm1kx1zj8xsh51zp315k0rw7dcsgyxqh2sl7g8tjg25ltcvhyw.nytimes.com.
     uz5xgm1kx1zj8xsh51zp315k0rw7dcsgyxqh2sl7g8tjg25ltcvhyw.nytimes.com. IN A 199.239.137.201
    (in BIND format). Here uz5xgm1kx1zj8xsh51zp315k0rw7dcsgyxqh2sl7g8tjg25ltcvhyw is a special name generated by this DNSCurve forwarder.
  • Log in to the .com registrar and provide the same uz5xgm1kx1zj8xsh51zp315k0rw7dcsgyxqh2sl7g8tjg25ltcvhyw.nytimes.com information.
  • After a week, remove the old non-DNSCurve server name.