[dns-operations] OpenDNS adopts DNSCurve

George Barwood george.barwood at blueyonder.co.uk
Wed Feb 24 18:29:23 UTC 2010

----- Original Message ----- 
From: "Joe Abley" <jabley at hopcount.ca>
To: "Rodney Joffe" <rjoffe at centergate.com>
Cc: <dns-operations at mail.dns-oarc.net>
Sent: Wednesday, February 24, 2010 5:48 PM
Subject: Re: [dns-operations] OpenDNS adopts DNSCurve

> On 2010-02-24, at 12:14, Rodney Joffe wrote:
>> On Feb 24, 2010, at 8:19 AM, Andrew Sullivan wrote:
>>> On Tue, Feb 23, 2010 at 03:47:38PM -0800, Matthew Dempsky wrote:
>>>> Sure, dnscurve.org already documents the whole protocol, and I went
>>>> ahead and reformatted it in Internet-Draft format[1] at the request of
>>>> DNSEXT folk, but it garnered minimal feedback.  The draft is set to
>>> Is that a request to consider it a candidate WG submission?
>> I'd support this...
> Me too. The information at dnscurve.org is fragmented, informal and difficult to digest, and a well-written and well-reviewed single document that just concerns itself with DNSCurve and not DNSSEC would be a big improvement.

DNSCurve addresses some of the DNS transport issues, but not all.

Specifically, it is vulnerable to blind spoofing attacks on large responses, and it allows amplification attacks.

There are some other technical objections.

I have worked on a new protocol (QRP) which incoporates DNSCurve cryptology as an option,
and which aims to solve all the various DNS transport problems, especially denial of service attacks,
and proper handling of large responses. It is UDP based, but uses a different port.

The draft is at


and there is an introduction at


I judge that the DNSEXT WG is not quite ready to work on this yet, but if there is evidence of support,
I would ask for it to be adopted as a DNSEXT WG document.

George Barwood

More information about the dns-operations mailing list