dnscurve and DNS hardening, was Re: Dan Kaminsky
naveen at calpop.com
Wed Aug 5 23:45:34 CDT 2009
Thanks for the cogent comparison between the two security systems
> DNSCurve requires more CPU power on nameservers (for the more
> extensive crypto); DNSSEC requires more memory (for the additional
> DNSSEC payload).
This is only true for the initial (Elliptic Curve) Diffie-Hellman
exchange An long-term secret key is computed, but I assume the lifetime
is dependant on configuration or implementation.
It seems DJB is not only advocating his elliptic curve crypto system,
but also his own home-rolled symmetric crypto Salsa20, which is meant to
be computationally cheaper than AES in conjunction w/ poly1035whatever
I'll assume the cipher used for the lasting secret keys is interchangeable.
So after initial communication between two servers that can speak DNSCurve,
future communication should be computationally cheaper by using long-term
More information about the NANOG