[dns-operations] DNS challenge+response paper
Mark Andrews
marka at isc.org
Fri Jun 22 01:36:45 UTC 2018
> On 22 Jun 2018, at 11:16 am, Paul Vixie <paul at redbarn.org> wrote:
>
> I suggest that we stop reinventing a session layer poorly. Instead of adding chresp, just use dtls.
> --
> Paul Vixie
We have the problem of getting from here to there.
The only thing DTLS buys over the others is encryption of the query and response and
that could be done over port 53 using a different opcode.
You can use DNS COOKIE mechanisms with a well known TSIG key (just pass the cookie in
the extra data). If the server doesn’t return extra data the client still get UDP
fragmentation attack protection and anti spoof protection for the replies. The best
thing is that the existing authoritative name servers can provide partial support for
this with a configuration change by installing the well known key.
DTLS also brings with it all the parts of the code that have been really buggy in
OpenSSL to both the client and the server.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list