[dns-operations] DNS challenge+response paper
Grant Taylor
gtaylor at tnetconsulting.net
Fri Jun 22 02:32:25 UTC 2018
On 06/21/2018 07:36 PM, Mark Andrews wrote:
> We have the problem of getting from here to there.
The only blockers that we have are the hurtles that we allow to be
blockers. If we want to do something strongly enough, we can overcome
the hurtles.
> The only thing DTLS buys over the others is encryption of the query and
> response and that could be done over port 53 using a different opcode.
Intriguing.
> You can use DNS COOKIE mechanisms with a well known TSIG key (just pass
> the cookie in the extra data). If the server doesn’t return extra
> data the client still get UDP fragmentation attack protection and anti
> spoof protection for the replies. The best thing is that the existing
> authoritative name servers can provide partial support for this with a
> configuration change by installing the well known key.
I'm not as versed on TSIG and other cryptographic functions to know how
that actually prevents a MitM from also using the well known key to be
able to comment.
> DTLS also brings with it all the parts of the code that have been really
> buggy in OpenSSL to both the client and the server.
I hazard a guess that SSL 1, 2, and 3 also had many bugs at the same
stage of life that DTLS is currently at.
--
Grant. . . .
unix || die
More information about the dns-operations
mailing list