[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Wouters paul at cypherpunks.ca
Tue Oct 2 20:16:15 UTC 2012

On Tue, 2 Oct 2012, Paul Vixie wrote:

>> One of the last resorts of dnssec-trigger is to use SSL port 443 for
>> DNSSEC. If that fails, it is unlikely that DANE (https, also SSL port
>> 443) can work. Thus, logically, this service is very likely to provide
>> DNSSEC when DANE must have it.
> has the ssl format been submitted as an internet-draft, or is this a
> "private standard"?

This works less reliable then port 80 in my experience. Even hotspots
seem to detect this is different from real 443 traffic and dropping it,
possibly various porn filter softare and the like.

AFAIK, Wouter did not submit it as a draft, and (see previous email)
I would prefer to develop something that can do HTTP or HTTPS for
dnssec-chains. If we are making anything that does 1 query per TCP
connect, or worse, 1 query per TLS connection, it will just not work.


More information about the dns-operations mailing list