[dns-operations] DNSCrypt.

Paul Vixie paul at redbarn.org
Fri May 31 23:04:18 UTC 2013



Dobbins, Roland wrote:
> On May 31, 2013, at 10:16 PM, Joe Abley wrote:
>
>> (DNSCrypt and DNSSEC do different things)
>
> Yes, except that DNS-over-TCP helps reduce the risk of MITM, which is a perceived channel-validation benefit of DNSSEC.

let's have a war game, ok? you set up an authority server and we'll make
a distributed set of recursive servers that pound the hell out of that
authority server in the usual unhealthy-but-apparently-necessary ways
that recursive servers pound the hell out of authority servers. we'll
figure out a way to run the system at equilibrium and we'll note what
"equilibrium" is.

then you turn off udp and force that load to use tcp.

then i'll come in from the side and wreck your ability to answer
reliably using tcp.

then you can hack your server any way you want that doesn't expressly
violate RFC 1035 4.2.2.

then we'll see what the final new equilibrium is.

and then, i predict, people everywhere will stop saying "udp/53 is
crazy, let's all switch to tcp/53".

paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130531/1b466fa4/attachment.html>


More information about the dns-operations mailing list