1. Is DNSCurve encrypted?
2. Can encryption in DNSCurve be disabled?
3. Can a DNSCurve server talk to a non-DNSCurve server?
Yes. DNSCurve is only used when both the resolver and authoritative server support DNSCurve. Otherwise plain DNS is used.
4. How are DNSCurve packets encrypted?
5. Does DNSCurve prevent caching?
6. Will DNS need to be changed to allow DNSCurve?
No. DNSCurve is being deployed on the Internet we have now.
7. Does DNSCurve require extra packets?
No. DNSCurve requires only as many packets as normal DNS.
8. How does a DNSCurve resolver know if an authoritative DNS server supports DNSCurve?
An authoritative DNSCurve server has its Curve25519 public key in a label of its NS record. If the remote server advertises DNSCurve support in this way, the resolver encrypts the packet.
9. What is the format of a DNSCurve public key?
- 54-byte label in Base-32;
- Beginning with the magic string "uz5";
- Remaining 51 bytes each one of 0123456789bcdfghjklmnpqrstuvwxyz;
- E.g.: uz5qry75vfy162c239jgx7v2knkwb01g3d04qd4379s6mtcx2f0828.dnscurve.io.
10. What's the difference between DNSCurve and DNSCrypt?
With only minor changes, DNSCrypt is basically DNSCurve, brought to secure the link between a client and a resolver. They use the same cryptography and even the same magic string (R6fnvWJ8) in answers. DNSCurve is essentially link-level encrypted DNS via Curve25519XSalsa20Poly1305, and:
- DNSCurve is between resolvers and authoritative servers;
- DNSCrypt is DNSCurve between clients and resolvers.
11. Can I use both DNSCurve and DNSCrypt?
Yes, for example you can use DNSCrypt with a server that supports DNSCurve, e.g. dnscrypt-proxy => dnscrypt-wrapper => dqcache. However, end-users will typically support one or the other.
12. What are the differences between DNSSEC and DNSCurve?
Please see this answer.