Differences between DNSCurve and DNSSEC
Differences that favor DNSSEC
- DNSSEC can in theory protect DNS data if an attacker compromises the domain's nameservers IF the administrator generates keys and signatures on a separate computer that is not compromised. In practice, domain owners don't do this.
Differences that favor DNSCurve
- DNSCurve is encrypted. DNSSEC is not encrypted.
- DNSCurve uses Curve25519-based public-key encryption. DNSSEC uses RSA public-key signatures.
- DNSCurve has a 128-bit security level. DNSSEC has an 80-bit security level.
- DNSCurve requires zero additional packets. DNSSEC requires more than 50% more packets.
- DNSCurve requires no new record types. DNSSEC requires DS, DNSKEY, DLV, TLSA, RRSIG, NSEC, NSEC3, NSEC3PARAM.
- DNSCurve requires no new registrar interfaces. DNSSEC requires new registrar interfaces for every registrar that supports DNSSEC.
- DNSCurve is immune to replay attacks. DNSSEC is vulnerable to replay attacks.
- DNSCurve leaks nothing. DNSSEC leaks zone contents through NSEC/NSEC3.
- DNSCurve resists network censorship. DNSSEC has no protection against censorship.
- DNSCurve increases packet sizes slightly. DNSSEC increases packet sizes significantly.
- DNSCurve is not a DDoS source. DNSSEC is a DDoS source.
- DNSCurve is safe to use. DNSSEC is a major outage risk.
- DNSCurve uses state-of-the-art cryptography. DNSSEC uses obsolete crypto from the 1990s.
- DNSCurve is not a PKI. DNSSEC is meant to be a PKI controlled by attackers (world governments).