Maintained by: NLnet Labs

[Unbound-users] unbound 1.4.6 released

Kevin Chadwick
Sun Feb 13 16:06:36 CET 2011

On Wed, 4 Aug 2010 11:47:15 +0100
Kevin Chadwick wrote:

> On Wed, 4 Aug 2010 11:23:48 +0200
> "Marco Davids (SIDN)" wrote:
> > Hi Wouter,
> > 
> > On 08/03/10 16:59, W.C.A. Wijngaards wrote:
> > 
> > >> Is it possible to add dnscurve support to the todo list?
> > 
> > > It is currently at the IETF and if that standardization (and fix)
> > > process is done, then we can consider adding it.
> > 
> > > The IETF process can take some time and make changes to the
> > > spec, therefore the decision is better made at a later date.
> > 
> > That argument, even though it makes sense, seems somewhat inconsistent
> > with an earlier decision to implement draft-vixie-dnsext-dns0x20-00 in
> > Unbound. I liked playing with the 0x20 feature though, so at least I for
> > one was was happy that you implemented it as an option. I suppose I
> > could be equally happy with fiddling around with DNScurve a bit. A
> > '--with-dnscurve' configure-option would work just fine for me (will
> > keep things leand and mean for others). So as far as I am concerned, the
> > 'IETF standardization'-argument doesn't necessarily has to be a
> > showstopper here.
> I'm obviously a supporter of dnscurve but I do see that if it get's
> very little adoption (OpenDNS seem the only major one at present) then
> adding it may be a waste of developers time, though I'm under the
> impression that it's meant to be easy to implement and I'm hoping
> unbound may be able to kick others into action. It would also be the
> only and first one supporting dnssec and dnscurve as far as I am aware,
> thereby acquiring other users like me and/or press coverage.

Hi together,

for those, who are interested: 

DJB gave a talk on 27c3 'Hacker congress' (at December 28th, 2010) in

"High-speed high-security cryptography encrypting and authenticating
the whole internet"

In essence, Dan

- critices DNSSec from first principles ('CIA') and explaining possible
  amplification attacks, and addressing the problem of static signing

- introduces briefly DNSSec with ECC and NYM deployed Public Keys,

- outlines CurveCP, a new protocol, using UDP services while encrypting
  the payload (asymmetrically) by means of ECC. This could be used for
  general HTTP traffic (instead using standard TCP).


What is interesting, challenging, and extraordinary is the approach -
unlike TLS - to directly encrypt data with ECC and not to first
negotiate a shared secret for (later) symmetrical en/de-cryption. Dan
tries to convince the public that asymmetric cryptography by ECC is not
heavy burdon on today's CPUs.


His talk:

His life presentation:


Interesting enough, apart from Dan's approach, Google also tries to tie
down the latency introduced by TLS (for instant HTTP traffic):


Thus, given the current hardware capabilities, not the CPU load is
problematic for encryption, but rather the (slow) current approach, to
at first set up a security context/session and negotiate on a cipher.



PS: Sorry for potentially receive this mail twice. It is worth it!

Dr. Erwin Hoffmann | FEHCom |