DNSCurve to raise Privacy

Although just implemented DNSSec, have a look at DBSCurve

[Wiki DNSCurve]:
[..] DNSCurve uses Curve25519[1] Elliptic curve cryptography to establish keys used by Salsa20, paired with the MAC function Poly1305, to encrypt and authenticate DNS packets between resolvers and authoritative servers. Public keys for remote authoritative servers are placed in NS records, so recursive resolvers know whether the server supports DNSCurve. Keys begin with the magic string uz5 and are followed by a 51-byte Base32 encoding of the server's 255-bit public key. E.g., in BIND format:

example.com. IN NS uz5bcx1nh80x1r17q653jf3guywz7cmyh5jv0qjz0unm56lq7rpj8l.example.com.

DNSCurve advantages over previous DNS services:

Confidentiality—usual DNS requests and responses are not encrypted, and broadcast to any attacker.
Integrity—usual DNS has some protection, but [..] attackers can forge DNS records; this is prevented by DNSCurve cryptographic authentication.
Availability—usual DNS has no protection against denial of service (DoS) by a sniffing attacker sending a few forged packets per second. DNSCurve recognizes and discards forged DNS packets, providing some protection, though SMTP, HTTP, HTTPS, are also vulnerable to DoS.

Availability:
OpenDNS, which has 50 million users, announced support for DNSCurve on its recursive resolvers on February 23, 2010 and founded the DNSCrypt Project on December 6, 2011.
=> Community Feature Request DNSCrypt.

Diskussions: DNSCurve vs. DNSSEC

- DNSSec signs everything from the root all the way up to the host records provided DNS servers 	  
- DNSCurve focus is to preventing passive monitoring / blind poising of DNS query/response
- DNSCurve protects the naming service at least as reliable as the underlying transport of packets 
  over the network. Therfore it 
  
    (a) prevents passive MITM (Men-in-the-Middle attack, creating databases that contain every DNS transaction 
        (query/response) through a given resolver/set of resolvers
    (b)	does not protect against active MITM

Easy installation e.g. CurveDNS:
Install on Pi-Hole, generate a keypair, update NS type records pointing towards authoritative name server and let them point to the Pi-Hole

Motivation

• WikiLeaks, Vault 7: CIA Hacking Tools Revealed
• German: Der Student, den die NSA bespitzelt

I've read this on several places, just one reference here.
<quote>ICANN has stated that, in the case of the DNS Root zone servers, DNSCurve will not be implemented, ever.</quote>

You misunderstand this request and ICANNs announcements (have a look into their archive, Toronto 2012, Dublin 2015)

• DNSCurve is backwards compatible with the existing DNS protocol
• DNSCurve is supported by OpenDNS
• it's one step towards more privacy, because it prevents passive MITM
• it's not a 100% solution