[dns-operations] Massive DNS poisoning attacks in Brazil
Paul Vixie
paul at redbarn.org
Tue Oct 2 20:23:36 UTC 2012
On 2012-10-02 8:16 PM, Paul Wouters wrote:
> ...
>
> AFAIK, Wouter did not submit it as a draft, and (see previous email)
> I would prefer to develop something that can do HTTP or HTTPS for
> dnssec-chains. If we are making anything that does 1 query per TCP
> connect, or worse, 1 query per TLS connection, it will just not work.
in <http://www.ietf.org/mail-archive/web/dnsext/current/msg11700.html> i
was thinking that we'd add "send chain" as an edns option, and then add
generic edns tunneling over tcp/80 and tcp/443 using distinctive URI
patterns to make sure to plug into the dns responder in the remote web
server. there's no reason to add 'send chain' just to the tunnel. and
once the tunnel is open it should be able to remain open until a quiet
period, so maybe a two second client-initiated timeout.
--
"It seems like the rules for automagic completion of incomplete names typed into browsers are going to start to look like those for the game of fizbin." --rick jones
More information about the dns-operations
mailing list