CurveDNS for Debian ------------------- You might want to change default CurveDNS environment variables in /etc/default/curvedns file. Debian's version of curvedns is not linked against NaCl but uses Sodium. Sodium is a API compatible fork of NaCl available as shared library. NOTE : You can use `dpkg-reconfigure curvedns` to perform a key rollover. It will generate a new key only if the file /etc/curvedns/PRIVKEY does not exist, otherwise it will do nothing. About CurveDNS -------------- With CurveDNS you are able to transform any authoritative name server in a DNSCurve capable one. This is done by acting as a kind of proxy, listening to DNS or DNSCurve queries and forwarding the non-protected variants towards the real (existing) name server. The responses are then send back to the client either protected (if the query was in DNSCurve) or not. Publishing keys --------------- Publishing keys is really easy with DNSCurve: The only thing you have to do is notify an upper zone data manager (probably a registry) that you have a new NS record for your zone. If your name server was named ns1.example.org before, its DNSCurve enabled name would (for example) be: uz5svv9j6p8j05ms321fjtdms06tw23uv5ck1n2650847c8t29up49.ns1.example.org Use your DNS public key saved in /etc/curvedns/README ("Your Public key".ns1.example.org). If you send this name towards the upper zone data manager, it automatically encapsulates your 255-bit public DNSCurve elliptic curve key. Making the world aware your name server is DNSCurve capable. Are DNSCurve keys domain based ? ------------------------------ No, they are not. In fact keys used in DNSCurve are server based. Meaning that all domains that are hosted at the same authoritative name server should have the same DNSCurve public key prefix (i.e. uz5...). An example will clarify this. Assume you own both example.com and example.org and you host -- to simplify the story a bit -- both domains on one authoritative name server: ns.example.net. The name servers of both domains will therefore change to (for example): uz52gs53blkwtykrqpvh4mzf8jqjs278yfd956bgudck6bq5pl9hz2.ns.example.net. -- Neveu Stephane Thu, 27 Jun 2017 08:45:03 +0200