DNSCurve FAQ

1. Is DNSCurve encrypted?

Yes.

2. Can encryption in DNSCurve be turned off?

No.

3. How are DNSCurve packets encrypted?

DNSCurve uses Curve25519 for key exchange and XSalsa20Poly1305 for encryption.

4. Does DNSCurve prevent caching?

No. DNSCurve does not prevent caching.

5. Will DNS need to be changed to allow DNSCurve?

No. DNSCurve is being deployed on the Internet we have now.

6. Does DNSCurve require extra packets?

No. DNSCurve requires only as many packets as normal DNS.

7. Can a DNSCurve resolver talk to a non-DNSCurve authoritative server?

Yes. DNSCurve is only used when both the resolver and authoritative server support DNSCurve.

8. Can a DNSCurve authoritative server talk to a non-DNSCurve resolver?

Yes. DNSCurve is only used when both the resolver and authoritative server support DNSCurve.

9. How does a DNSCurve resolver know if an authoritative DNS server supports DNSCurve?

An authoritative DNSCurve server has its Curve25519 public key in a label of its NS record. If the remote server advertises DNSCurve support in this way, the resolver encrypts the packet.

10. What is the format of a DNSCurve public key?

11. What's the difference between DNSCurve and DNSCrypt?

With only minor changes, DNSCrypt is basically DNSCurve, brought to secure the link between a client and a resolver. They use the same cryptography and even the same magic string (R6fnvWJ8) in answers. DNSCurve is essentially link-level encrypted DNS via Curve25519XSalsa20Poly1305, and:

12. Can I use both DNSCurve and DNSCrypt?

Yes, for example you can use DNSCrypt with a server that supports DNSCurve, e.g. dnscrypt-proxy => dnscrypt-wrapper => dqcache. However, end-users will typically support one or the other.

13. What are the differences between DNSSEC and DNSCurve?

Please see this answer.