DNSCurve status
201 views
Skip to first unread message
Nicolai
Jun 27, 2013, 2:28:16 PM6/27/13
to boring...@googlegroups.com
Hello,
I'm wondering what the roadmap/plan is for DNSCurve. Since deploying it
on auth nameservers, I've noticed an increase over time in DNSCurve
queries. I've also been counting once per week the number of
DNSCurve-protected domains in the com/net/org/biz zone files, and note a
long-term increase far beyond the overall general increase in domains.
People are steadily and increasingly using DNSCurve despite almost no
advocacy or public discussion. I also note that DJB hasn't enabled it
on his recursive servers for cr.yp.to, which is surprising and strange.
So what's the plan?
Nicolai
I'm wondering what the roadmap/plan is for DNSCurve. Since deploying it
on auth nameservers, I've noticed an increase over time in DNSCurve
queries. I've also been counting once per week the number of
DNSCurve-protected domains in the com/net/org/biz zone files, and note a
long-term increase far beyond the overall general increase in domains.
People are steadily and increasingly using DNSCurve despite almost no
advocacy or public discussion. I also note that DJB hasn't enabled it
on his recursive servers for cr.yp.to, which is surprising and strange.
So what's the plan?
Nicolai
D. J. Bernstein
Jun 30, 2013, 7:40:02 AM6/30/13
to boring...@googlegroups.com
Nicolai writes:
> I'm wondering what the roadmap/plan is for DNSCurve.
Step 1: Convince people that metadata is private information and needs
> I'm wondering what the roadmap/plan is for DNSCurve.
to be encrypted by default. Oh, maybe this step is handled now. :-)
The three main deployment targets for DNSCurve are
* caches, preferably on user laptops/smartphones rather than ISPs;
* leaf servers; and
* higher-level servers---roots are best run on user machines, but
protecting .com is a more interesting challenge.
Obviously all of these can benefit from broader software support, and
own emphasis at the moment is on simplifying this by improving the ease
of use of the underlying crypto tools.
The DNSCurve protocol per se is stable, but there's a lot to be said
about improving DNS: for example, I don't see why someone looking up
"rites.uic.edu" should send anything more than "edu" to the root name
servers. On the operational side, I'd like to see more administrative
tools with a clear separation between
* local configuration on a single administrator machine (whether
through command-line tools or a web interface) and
* replicating the configuration to all of the administrator's servers
(for example, with unison)
using the filesystem as the underlying database. For DNSCurve this would
normally mean generating a single key and replicating that key to all of
the administrator's DNS servers---preferably with a single name using
multiple IP addresses, although multiple names would also be useful for
compatibility with parents that require a single IP address per name.
> I also note that DJB hasn't enabled it
> on his recursive servers for cr.yp.to, which is surprising and strange.
machines in my spare time (and a similar number of caches, with many
different services), so upgrades often take me a while, and I have a
strong preference for tools that are _really_ easy to use instead of
just close.
---Dan
vina...@gmail.com
Mar 15, 2014, 4:09:08 AM3/15/14
to boring...@googlegroups.com, d...@cr.yp.to
On Sunday, June 30, 2013 5:10:02 PM UTC+5:30, D. J. Bernstein wrote:
> The three main deployment targets for DNSCurve are
>
> * caches, preferably on user laptops/smartphones rather than ISPs;
> The three main deployment targets for DNSCurve are
>
> * caches, preferably on user laptops/smartphones rather than ISPs;
Is there a dnscurve and/or dnssec aware secure resolver/cache available that I can run on my macbook?
>
> The DNSCurve protocol per se is stable, but there's a lot to be said
http://dnscurve.org/in-install.html page seems to be woefully out of date. Has the real status changed and it is simply not updated here?
> Some of my caches use it, some don't; I manage something like 100
>
> machines in my spare time (and a similar number of caches, with many
>
> different services), so upgrades often take me a while, and I have a
>
> strong preference for tools that are _really_ easy to use instead of
>
> just close.
>
I too prefer tools that are really easy to use. If installing a secure local resolver/cache was as simple as installing a browser like chrome or firefox, surely more people will use it?
Thanks,
Vinay
Nicolai
Mar 15, 2014, 2:42:45 PM3/15/14
to boring...@googlegroups.com
On Sat, Mar 15, 2014 at 01:09:08AM -0700, vina...@gmail.com wrote:
> On Sunday, June 30, 2013 5:10:02 PM UTC+5:30, D. J. Bernstein wrote:
> > The three main deployment targets for DNSCurve are
> >
> > * caches, preferably on user laptops/smartphones rather than ISPs;
>
> Is there a dnscurve and/or dnssec aware secure resolver/cache available
> that I can run on my macbook?
Yes, I'm running dnscache with Matthew Dempsky's DNSCurve patch, on both
> On Sunday, June 30, 2013 5:10:02 PM UTC+5:30, D. J. Bernstein wrote:
> > The three main deployment targets for DNSCurve are
> >
> > * caches, preferably on user laptops/smartphones rather than ISPs;
>
> Is there a dnscurve and/or dnssec aware secure resolver/cache available
> that I can run on my macbook?
OpenBSD and Linux:
http://shinobi.dempsky.org/~matthew/patches/djbdns-dnscurve-20090602.patch
Works like a charm!
Nicolai
Reply all
Reply to author
Forward
0 new messages