|
DNSCurve is a proposed new secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein. ==Description== DNSCurve uses Curve25519〔(【引用サイトリンク】url=http://cr.yp.to/ecdh.html )〕 Elliptic curve cryptography to establish keys used by Salsa20, paired with the MAC function Poly1305, to encrypt and authenticate DNS packets between resolvers and authoritative servers. Public keys for remote authoritative servers are placed in NS records, so recursive resolvers know whether the server supports DNSCurve. Keys begin with the magic string uz5 and are followed by a 51-byte Base32 encoding of the server's 255-bit public key. E.g., in BIND format:example.com. IN NS uz5bcx1nh80x1r17q653jf3guywz7cmyh5jv0qjz0unm56lq7rpj8l.example.com. The resolver then sends to the server a packet containing its DNSCurve public key, a 96-bit nonce, and a cryptographic box containing the query. The cryptographic box is created using the resolver's private key, the server's public key, and the nonce. The response from the server contains a different 96-bit nonce and its own cryptographic box containing the answer to the query. The cryptographic tools used in DNSCurve are the same used in CurveCP, a UDP-based protocol which is similar to TCP but uses elliptic-curve cryptography to encrypt and authenticate data. An analogy is that while DNSSEC is like signing a webpage with PGP, CurveCP and DNSCurve are like encrypting and authenticating the channel using SSL. Just as PGP-signed webpages can be sent over an encrypted channel using SSL, DNSSEC data can be protected using DNSCurve. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「DNSCurve」の詳細全文を読む スポンサード リンク
|