[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Vixie paul at redbarn.org
Tue Oct 2 20:23:36 UTC 2012

On 2012-10-02 8:16 PM, Paul Wouters wrote:
> ...
> AFAIK, Wouter did not submit it as a draft, and (see previous email)
> I would prefer to develop something that can do HTTP or HTTPS for
> dnssec-chains. If we are making anything that does 1 query per TCP
> connect, or worse, 1 query per TLS connection, it will just not work.

in <http://www.ietf.org/mail-archive/web/dnsext/current/msg11700.html> i
was thinking that we'd add "send chain" as an edns option, and then add
generic edns tunneling over tcp/80 and tcp/443 using distinctive URI
patterns to make sure to plug into the dns responder in the remote web
server. there's no reason to add 'send chain' just to the tunnel. and
once the tunnel is open it should be able to remain open until a quiet
period, so maybe a two second client-initiated timeout.

"It seems like the rules for automagic completion of incomplete names typed into browsers are going to start to look like those for the game of fizbin." --rick jones

More information about the dns-operations mailing list