[dns-operations] Massive DNS poisoning attacks in Brazil

[Paul Wouters]

On Tue, 2 Oct 2012, Paul Vixie wrote:

> if ietf hadn't declared the dns protocol finished, and were not even now
> working to close up the dnsext working group, i'd propose that we
> develop a standard for carrying edns over tcp/80 and/or tcp/443, which
> is for most mobile users what "the internet" consists of.

unbound via dnssec-trigger does this. The problem here is that it
still does 1 query/answer per TCP connection. That has to be fixed,
and we should use a dnssec chains format for it. Ideally, I'd like
to say something like "give me the proof from .ca to IN A www.nohats.ca,
and receive one blob back.

I haven't encountered a hotspot that, after authentication, breaks port
80. This setup will work tremendously well. But currently, using port
just causes timeouts.

> i'm not sure how we expect DANE to make any difference when we don't
> have working last mile DNSSEC.

+1

Paul