Frank DENIS random thoughts.

An actual solution to the current weakness of the DNS protocol

Finally!

Dan J. Bernstein just published DNSCurve, a new link-level DNS security protocol that takes advantage of state-of-the art cryptography.

As a reply to Tobian Reckhard who raised the performance issues of RSA-and-Diffie-Hellman-secured connections as a proposal to secure DNS, DJB answered:

“On the other hand, those precomputed signatures have to be separatelyverified by each recipient. State-of-the-art protocols to encrypt and authenticate packets take more work for the first packet but allow very low-cost handling of subsequent packets between the same parties.

More importantly, the work for the first packet has been dramatically reduced in recent years. High-security 255-bit elliptic curves, billions of times more difficult to break than 1024-bit RSA by current attacks, can handle 1000 new communication partners in just 40 milliseconds on a Core 2 Quad with state-of-the-art software.

http://dnscurve.org describes a new link-level DNS security protocol that takes advantage of these advances in cryptographic speed. The protocol provides integrity (recognizing and discarding forged packets) and some confidentiality, while drastically simplifying implementation and administration compared to DNSSEC.”

Does it still sound obscure? So have a look at the PDF presentation about DNSCurve. (check the part about Bind and DNSSEC, very funny).

Actual solutions instead of marketing crap, that’s why I love you, Dan!