example.com. IN NS uz5bcx1nh80x1r17q653jf3guywz7cmyh5jv0qjz0unm56lq7rpj8l.example.com.
example.com. IN NS 192.168.xx.xxx
The resolver then sends to the server a packet containing its DNSCurve public key, a 96-bit nonce, and a cryptographic box containing the query. The cryptographic box is created using the resolver's private key, the server's public key, and the nonce. The response from the server contains a different 96-bit nonce and its own cryptographic box containing the answer to the query.
The cryptographic tools used in DNSCurve are the same used in CurveCP, a UDP-based protocol which is similar to TCP but uses elliptic-curve cryptography to encrypt and authenticate data. An analogy is that while DNSSEC is like signing a webpage with Pretty Good Privacy (PGP), CurveCP and DNSCurve are like encrypting and authenticating the channel using Transport Layer Security (TLS). Just as PGP-signed webpages can be sent over an encrypted channel using SSL, DNSSEC data can be protected using DNSCurve.