DNSCurve: Usable security for DNS

DNS users:
Why DNSCurve?
Installing DNSCurve
DNS data managers:
Why DNSCurve?
Installing DNSCurve
DNS implementors:
Protocol designers:
DNS integration
Negative forgery
Query espionage
Database espionage
+ nsec3walker
CPU flooding
+ dnssecamp

How to install a DNSCurve forwarder

This page explains how to add DNSCurve protection to outgoing DNS data published by your DNS server: an "authoritative DNS server" such as tinydns or PowerDNS Server or BIND or NSD or MaraDNS or Nominum ANS. There is a separate page explaining the benefits of this protection.

You could upgrade your DNS server to a DNS server that supports DNSCurve. However, you can instead install a DNSCurve forwarder without changing your DNS server. A full-fledged DNSCurve forwarder named CurveDNS has been released by Harm van Tilborg with the support of Jeroen Scheerder and Lieuwe Jan Koning at ON2IT Security.

There are five main steps in setting up a DNSCurve forwarder:

  • Install the forwarder on a new IP address. If you install the forwarder on the same computer as your existing DNS server then you need to put it on a different IP address from the existing DNS server.
  • Configure the forwarder to forward to your existing DNS server's IP address.
  • Add, in your DNS data, a special DNSCurve server name for the forwarder. The name is specific to this forwarder and is automatically generated during installation of the forwarder.
  • Add the same DNSCurve server name in your parent DNS data.
  • After a week, remove the old non-DNSCurve server names.
DNSCurve caches will now start encrypting and authenticating packets to your forwarder. You don't need to change any other DNS data. You don't need to change your procedures for updating DNS data.

For example, let's say you're the nytimes.com DNS administrator, with a DNS server on IP address Here is how you would add support for DNSCurve:

  • Install the DNSCurve forwarder on a new IP address, for example
  • Configure the DNSCurve forwarder to forward to IP address
  • Add
    (in tinydns format) or
         nytimes.com. IN NS uz5xgm1kx1zj8xsh51zp315k0rw7dcsgyxqh2sl7g8tjg25ltcvhyw.nytimes.com.
         uz5xgm1kx1zj8xsh51zp315k0rw7dcsgyxqh2sl7g8tjg25ltcvhyw.nytimes.com. IN A
    (in BIND format). Here uz5xgm1kx1zj8xsh51zp315k0rw7dcsgyxqh2sl7g8tjg25ltcvhyw is a special name generated by this DNSCurve forwarder.
  • Log in to the .com registrar and provide the same uz5xgm1kx1zj8xsh51zp315k0rw7dcsgyxqh2sl7g8tjg25ltcvhyw.nytimes.com information.
  • After a week, remove the old non-DNSCurve server name.


This is version 2010.12.24 of the out-install.html web page.