How to deploy DNSCurve

Posted on Apr 18, 2014

I’ve recently started to support DNSCurve on my nameservers running djbdns and you might do the same on your infrastructure: deploying DNSCurve turned out to be very easy and took about 1 hour of work!

Migrating your server to DNSCurve

But let’s start with the installation: First, you need to install a dnscurve-forwarder: The forwarder will listen for incoming requests on your public_interface:53 and forwards all queries to the dns-server (such as tinydns) listening on

I’m using CurveDNS which fits nicely into existing djbdns/tinydns installations. Installing it is only a matter of minutes, thanks to the very good documentation.

Keep in mind that dnscurve-0.87 does not chroot() itself: This patch (sent to upstream) will make dnscurve chroot() itself if $ROOT is set. To activate chroot you should run:

$ mkdir /etc/curvedns/root
$ echo  /etc/curvedns/root > /etc/curvedns/env/ROOT
$ svc -t /service/curvedns
$ ls -l /proc/`pgrep curvedns`/root
lrwxrwxrwx 1 root root 0 2011-01-09 17:47 /proc/6620/root -> /etc/curvedns/root/

Whee, that was easy, wasn’t it? We can now modify the NS-Records of the server to include its private key!

Configuring the NS-Records

You should now create an entry for your new nameserver A (or AAAA) record: (remember the curvedns-keygen output?) In my case /etc/tinydns/root/data looks like this:

..and the SOA record is set to

(do not forget to run make ;-) )

You must now also change/add the new NS-Record for you domain in the webinterface of your registrar.

Testing your DNSCurve installation

Testing the glue-records

We will now check if the TLD-Servers will ‘publish’ the public key of our domain (eg.

Step 1: Ask the root-servers for the TLD-Servers of

$ dig +short
net.  172800  IN      NS
net.  172800  IN      NS

Step 2: Ask the .net servers for information about

$ dig NS
...               172800  IN      NS               172800  IN      NS               172800  IN      NS

Great: the public key is there! (If it isn’t: Did you update the records at your registrar? And even if you did: It can take some time until your changes are active)

Query the DNSCurve server

Chances are that there is no dnscurve-aware client installed on your host: we will use a simple dnscurve-aware client written in python (no installation needed)

Step 1: Grab a copy of Matthew Dempsky’s dnscurve repository at github:

$ cd /tmp
$ git clone
$ cd dnscurve/tools
$ ln -s ../slownacl .   # link to a python-nacl implementation

Step 2: Run

$ python a uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0
...output... will printout some dig-like output if everything is ok. It will hang if you supply the wrong public key.

Patching dnscache to do DNSCurve queries

Matthew Dempsky has also written a patch for dnscache: You can grab a copy at this location