[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#655220: ITP: curvedns -- Forwarding implementation of the DNSCurve protocol

Package: wnpp
Severity: wishlist
Owner: Sergiusz Pawlowicz <debian@pawlowicz.name>

* Package name    : curvedns
  Version         : 0.87
  Upstream Author : CurveDNS developers <curvedns@on2it.net>
* URL             : http://curvedns.on2it.net/
* License         : CurveDNS (retain COPYRIGHT file, public domain)
  Programming Lang: C, C++
  Description     : Forwarding implementation of the DNSCurve protocol

CurveDNS is the first publicly released forwarding implementation that
implements the DNSCurve protocol[0].

DNSCurve uses high-speed high-security elliptic-curve cryptography to
drastically improve every dimension of DNS security:

 *   Confidentiality: DNS requests and responses today are completely
unencrypted and are broadcast to any attacker who cares to look.
DNSCurve encrypts all DNS packets.
 *   Integrity: DNS today uses "UDP source-port randomization" and "TXID
randomization" to create some speed bumps for blind attackers, but
patient attackers and sniffing attackers can easily forge DNS records.
DNSCurve cryptographically authenticates all DNS responses, eliminating
forged DNS packets.
 *   Availability: DNS today has no protection against denial of service.
A sniffing attacker can disable all of your DNS lookups by sending just
a few forged packets per second. DNSCurve very quickly recognizes and
discards forged packets, so attackers have much more trouble preventing
DNS data from getting through. Protection is also needed for SMTP, HTTP,
HTTPS, etc., but protecting DNS is the first step. 

What is so special about this implementation is the fact that any
authoritative DNS name server can act as a DNSCurve capable one, without
changing anything on your current DNS environment. The only thing a DNS
data manager (that is probably you) has to do is to install CurveDNS on
a machine, generate a keypair, and update NS type records that were
pointing towards your authoritative name server and let them point to
this machine running CurveDNS. Indeed, it is that easy to become fully
protected against almost any of the currently known DNS flaws, such as
active and passive cache poisoning.

CurveDNS supports:

 *   Forwarding of regular (non-protected) DNS packets;
 *   Unboxing of DNSCurve queries and forwarding the regular DNS packets
 *   Boxing of regular DNS responses to DNSCurve responses;
 *   Both DNSCurve’s streamlined- and TXT-format;
 *   Caching of shared secrets;
 *   Both UDP and TCP;
 *   Both IPv4 and IPv6.

[0] http://www.dnscurve.org/

Reply to: