DNSCurve: an alternative to DNSSEC
The Domain Name System (DNS) has been with us for a long time, turning host and domain names into IP addresses. Along the way, numerous flaws have been found in the protocol, including last year's Kaminsky DNS flaw, which just added to the clamor to see DNS replaced. But, DNS still hasn't gone away, and doesn't look like it will anytime soon, at least partially because its replacement, DNSSEC, doesn't really resolve all of the problems, and it creates some of its own. A proposal by Daniel J. Bernstein (aka djb), called DNSCurve, has some interesting features that might make it a viable alternative to DNS and DNSSEC—perhaps one that can be widely adopted.
Bernstein, author of qmail and djbdns, has a reputation for creating secure software, but he tends to play by his own rules. Both qmail and djbdns use Bernstein's own monitoring and inetd replacement, rather than using the "standard" UNIX tools. But, his results are good, the security guarantee he offers for qmail (and a similar one for djbdns) have yet to be claimed—though some argue that is because Bernstein himself makes the final decisions as to what qualifies. One thing is clear, though, his djbdns did anticipate the Kaminsky flaw, and didn't need to be patched when most of the other DNS servers did.
In some ways, DNSCurve continues the Bernstein "maverick" trend. The fundamental difference between DNSCurve and DNSSEC is that the latter set out to ensure that there would be no cryptography necessary on each query. It does that by pre-computing signatures, which makes it vulnerable to replay attacks. Instead, DNSCurve embraces per-query encryption, but it does so by leveraging an encryption algorithm, called Elliptic Curve Cryptography (ECC), which is much faster than RSA.
Part of what makes ECC more efficient is that it can use much smaller
keys than RSA (256 bits vs. 1024 or more bits) to give the equivalent level
of security. In addition, the best known attacks on ECC haven't gotten any
better in the nearly 25 years since it was introduced. In a recent presentation [PDF],
Bernstein shows a benchmark of server side performance: "Using this
software, a low-cost PC with a 2.4GHz Core 2 Quad CPU can encrypt and
authenticate 50 billion packets/day to 500 million clients. [...] The
total load on .com is 38 billion packets/day from 5 million
clients.
".
Bernstein uses a particular curve, Curve25519, for DNSCurve. It is based on a "convenient" prime, 2^255 - 19, which is where it gets its name. That curve is the subject of a paper [PDF] by Bernstein entitled "Curve25519: new Diffie-Hellman speed records". ECC is thought to be a patent minefield, but Bernstein disputes the idea that Curve25519 is covered by patents. As with so many of the newest technologies, though, patent problems are something to keep on eye on regarding DNSCurve.
DNSCurve also changes the way nameservers for domains are named. Instead of arbitrary hostnames, like ns3.lwn.net (an non-existent example), the ns3 portion would be changed to an encoding of the domain's public key. In that way, no additional packets need to be sent to handle the key exchange, as the normal DNS query sequence would provide that name.
A DNS query would consist of a message that contained the client's public key, along with the actual query, encrypted using the server's public key. The response would also be encrypted, this time using the client's public key. In both cases, the packets would be signed in such a way that each side could verify that the packet came from the right host.
The DNSCurve web site has a wealth of information about DNSCurve, and how it differs from DNSSEC. For the most part, it protects against various DNS-based attacks better than DNSSEC, but there are a few areas where DNSSEC is more secure. In particular, private keys on DNSSEC hosts cannot be compromised by an attacker gaining control of the DNS server—provided the administrator has removed the key from that server. Because DNSSEC pre-computes the encrypted data, the private key is not required to be installed on the server, in contrast to DNSCurve.
DNSCurve is just a part of Bernstein's effort to see the internet encrypt all of its traffic. His vision is that by using ECC and Curve25519 (or some other, efficient, but strong, encryption), there would be no plaintext traffic on the net. That vision is a sensible one, whether Bernstein's particular implementation ideas are adopted or not. Eventually, universal encryption of internet traffic is something we are very likely to see.
| Index entries for this article | |
|---|---|
| Security | Domain Name System (DNS) |
Posted Jul 9, 2009 5:45 UTC (Thu)
by dlang (guest, #313)
[Link] (6 responses)
those who remember the RSA patents expiring will remember that there was a lot of use of the algorithms prior to the expiration, so when the magic day finally hit the software was well tested and ready for widespread use. it will take a while for people to get comfortable with the idea of doing that much encryption, so I expect that patents shouldn't be that bad a problem.
at least this time djb is advocating a protocol specification rather than just a specific implementation. that should avoid a lot of the problems that people (including me) have had with his stuff in the past
as for the idea of DNSSEC being safer due to the encryption keys being on another box, people who are interested in doing that sort of thing right will buy hardware encryption accelerators that isolate the key from the system, and almost everyone else will have their keys on the servers so that they can update things easily. so I don't see it as a very singnificant difference in risk.
Posted Jul 9, 2009 10:57 UTC (Thu)
by nix (subscriber, #2304)
[Link] (3 responses)
Posted Jul 9, 2009 13:22 UTC (Thu)
by droundy (subscriber, #4559)
[Link] (2 responses)
Posted Jul 9, 2009 13:59 UTC (Thu)
by nix (subscriber, #2304)
[Link] (1 responses)
Posted Jul 10, 2009 9:27 UTC (Fri)
by incase (guest, #37115)
[Link]
Posted Jul 10, 2009 20:38 UTC (Fri)
by smoogen (subscriber, #97)
[Link]
And the one issue is that while many developers will say "oh we aren't in the US so we do not have to worry..." they forget about reciprocal treaties their nation may have signed with the US which basically covers their works anyway :(.
Posted Jun 12, 2017 11:49 UTC (Mon)
by Jchassy (guest, #116687)
[Link]
Posted Jul 9, 2009 8:15 UTC (Thu)
by Tobu (subscriber, #24111)
[Link] (2 responses)
A few criticisms of DNSCurve from Stéphane Bortzmeyer's blog:
DNSCurve: an alternative to DNSSEC
DNSCurve: an alternative to DNSSEC
DNSCurve: an alternative to DNSSEC
DNSCurve: an alternative to DNSSEC
DNSCurve: an alternative to DNSSEC
Bad enough though...
Patents and the brokeness of them
DOmain API hack
DNSCurve: an alternative to DNSSEC
Posted Jul 13, 2009 12:48 UTC (Mon)
by alankila (guest, #47141)
[Link] (1 responses)
Posted Jul 13, 2009 15:00 UTC (Mon)
by foom (subscriber, #14868)
[Link]
Posted Jul 9, 2009 8:57 UTC (Thu)
by pkern (subscriber, #32883)
[Link] (2 responses)
Posted Jul 9, 2009 14:30 UTC (Thu)
by charlieb (guest, #23340)
[Link] (1 responses)
Posted Jul 19, 2009 7:10 UTC (Sun)
by eupator (guest, #44581)
[Link]
Never mind that qmail didn't set such a resource limit (and still doesn't), requirement to do so by hand was not documented (and still isn't), and no one generally does so, as you can verify by running 'ulimit -v'.
Posted Jul 9, 2009 13:27 UTC (Thu)
by job (guest, #670)
[Link] (4 responses)
DNSCurve is interesting, and there is no doubt it is better designed than many of the alternatives. But I believe it is ten years too late to change DNSSEC. At least two country level TLDs are already fully rolled out, and many more (including .org) is in a testing stage. Here in .se, many of the large ISP's resolvers validate signatures and there is a small but growing customer pressure to support "safe names on the net" toward the rest.
Halting this train when it works in practice would be difficult. The important thing is that we get signatures in DNS, and that we get it soon.
Posted Jul 9, 2009 14:00 UTC (Thu)
by jake (editor, #205)
[Link] (3 responses)
Hmm, if you are only talking about free software DNS servers, then maybe.
jake
Posted Jul 17, 2009 22:50 UTC (Fri)
by job (guest, #670)
[Link] (2 responses)
Posted Jul 28, 2009 7:08 UTC (Tue)
by Duncan (guest, #6647)
[Link] (1 responses)
So yeah, including all the little shareware etc DNS implementations, plus
So a very large share of the Internet using public was affected at some
This is why it was such a big deal. They say it's a big deal when you
Posted Aug 4, 2009 10:38 UTC (Tue)
by job (guest, #670)
[Link]
DNS is a system where flaws, like caching logic, easily can affect different implementations so it's important if the problem is with BIND or the DNS protocol. The BIND monoculture is a bit troublesome too, but that's another issue (I've used both TinyDNS and NSD in production but they all have issues of their own).
Posted Jul 9, 2009 15:00 UTC (Thu)
by elanthis (guest, #6227)
[Link] (1 responses)
Popularity is damn important with cryptography. 100 peers are more valuable than 10 peers reviewing a technique because it increases the chances of getting a peer who gets the rare stroke of luck/genius to find the hole.
Posted Jul 9, 2009 15:42 UTC (Thu)
by djao (guest, #4263)
[Link]
I have no evidence, but my informed opinion is that more people are working on ECC than RSA these days. Even though RSA has been around longer, the unexplored territory for ECC is larger, and researchers tend to concentrate on unexplored areas.
To give one example, the best known attack on ECC can be implemented in about 20 kilobytes of code, whereas the best known attack on RSA requires about 3 megabytes for a typical implementation. (You might complain that it's unfair to compare a high level language to a low level language, but the language difference is actually part of my comparison -- the NFS attack on RSA does not benefit from high-level abstraction, whereas the Pollard rho attack on ECC does.) Putting yourself into a researcher's shoes for a moment, if you had to pick an area for research, knowing that it takes one day to learn how to attack ECC and three months to learn how to attack RSA, and keeping in mind the publish or perish environment of research, which would you choose? In my view it is not really true that making progress on ECC is any harder or more inaccessible than making progress on RSA, and indeed the contrary seems to hold.
Regarding your comment that "RSA is used for practically everything" and that "popularity is damn important", it is true on PC platforms that RSA is much more popular. The situation changes completely, however, when you consider mobile phone platforms, which are computationally constrained and in many cases require ECC. RIM recently bought Certicom (an ECC company), and prior to that had been licensing Certicom technology for many years. Microsoft's smartphones use ECC exclusively as well. I might also point out that the number of mobile phones in the world far exceeds the number of PCs. Again, I have no hard numbers, but I would not be surprised if ECC deployments outnumbered RSA once mobile phones are included.
Posted Jul 12, 2009 9:26 UTC (Sun)
by rahulsundaram (subscriber, #21946)
[Link]
http://fedoraproject.org/wiki/Features/DNSSEC
It would be interesting to see how this plays out in the future
Posted Jul 15, 2009 0:57 UTC (Wed)
by marka (guest, #59568)
[Link] (2 responses)
Posted Jul 15, 2009 1:05 UTC (Wed)
by dlang (guest, #313)
[Link] (1 responses)
also, just because neither one is a complete superset of the other doesn't mean that it isn't a case of either/or
I don't think that I've heard anyone advocating using both.
Posted Jul 16, 2009 8:47 UTC (Thu)
by forthy (guest, #1525)
[Link]
I don't know what the original poster does want to explain, but here's
my take: DNSCurve protects the communication with the authoritive DNS server.
I.e. if you do a fully recursive query, you get an authoritive and
protected answer. However, that is not how DNS is supposed to work. DNS is
usually implemented as distributed cache - you ask your lokal DNS cache,
which forwards unknown queries to the provider's cache, which in turn does
recursive queries when necessary. This model takes a lot of load from the
root servers, though breaking the provider's cache with censorship and
other net-nanny-like government regulation will cause more people to
implement their own recursive querying DNS server. If everybody does,
because DNSCurve requires that, .com would not have 5 million clients per
day, but 500 million clients. And an awful lot more queries. This distributed cache is the model DNSSEC supports - by presigning the
records. DNS records have a TTL, so "replay attacks" aren't attacks,
anyway (they are part of the design of the whole DNS system!). You have to
wait for the TTL to expire before you can be sure that record changes have
propagated. Completely unrelated is that ECC is a better asymmetric encryption
system than RSA; but as usual, "just good enough" plus network effects is
what wins.
DNSCurve: an alternative to DNSSEC
DNSCurve: an alternative to DNSSEC
Actually the qmail security guarantee was claimed in the meantime.
DNSCurve: an alternative to DNSSEC
DNSCurve: an alternative to DNSSEC
DNSCurve: an alternative to DNSSEC
DNSCurve: an alternative to DNSSEC
DNSCurve: an alternative to DNSSEC
> overstatement, it was mostly (only?) BIND and its derivatives that did.
But there was the whole "coordinated vendor response" that patched numerous
vendor DNS implementations on the same day. Apple, Microsoft, Cisco, et al.
all patched their (presumably not all BIND-derived) DNS servers.
DNSCurve: an alternative to DNSSEC
DNSCurve: an alternative to DNSSEC
/is/ the reference implementation. As such, a reasonably large segment of
the DNS server base is BIND based, and by percentage, it's even higher,
due to (as mentioned) MS, Apple, Cisco, probably other router/network
vendors such as Juniper, etc, all shipping reference implementation (aka
BIND) based code.
DJB's implementation, it's possible that the majority of implementations
numerically weren't affected (tho I'd doubt even that), but certainly, by
share, an overwhelming majority of users /were/ affected. And that's not
even counting all the stub resolvers, tho the exposure there was
effectively per-instance rather than per X-thousands. GLIBC, etc, all
that was affected, a good deal of the caching servers were affected, the
Linux based routers, most or all of them (including the non-glibc ones,
AFAIK) were affected, MS was affected there too, etc. So even those folks
depending on unaffected full resolvers were often at risk due to the stub
resolvers.
level, either from their full DNS server or at the stub-resolver (possibly
at multiple levels there too) level, with a good many affected at multiple
levels, initially.
actually know someone affected, but this was far larger than that, since
/most/ of the people /everyone/ knew, were affected at at least one level,
many at multiple levels. The SDC and WHO are predicting something like
30-40% swine flu coverage within two years if the vaccines don't stop it.
Luckily it's not fatal for most, just seriously uncomfortable for awhile,
and fatal for a few. (Some have theorized that's one of the reasons it's
pandemic, people aren't actually dying, and are apparently still
contagious a week after they're feeling better, thus allowing it to spread
much more efficiently while bumping down the urgency of guarding against
it.) That makes it a reasonable analogy for the Kaminsky DNS issue, but
bump those rates to 80-90% exposure, possibly more (I actually saw a
figure of 97% somewhere, again, considering all levels, so 80-90% may be
conservative), and that's what they were looking at. That's not just big,
it's apocalyptic in scale, so big that even a single percent kill rate is
a very large number of people!
DNSCurve: an alternative to DNSSEC
DNSCurve: an alternative to DNSSEC
Disclaimer: I am a researcher working on ECC.
DNSCurve: an alternative to DNSSEC
Fedora 11 uses DNSSEC by default
DNSCurve: an alternative to DNSSEC
DNSCurve: an alternative to DNSSEC
DNSCurve: an alternative to DNSSEC