> From: Tony Finch <[email protected]> > To: Paul Vixie <[email protected]>
> Paul Vixie <[email protected]> wrote: > > > > in <http://www.ietf.org/mail-archive/web/dnsext/current/msg11700.html> i > > was thinking that we'd add "send chain" as an edns option, and then add > I like this plan. All of those DNS tunneling, triggering, alternate port, and other varient protocol schemes for dealing with hotels and public access points attacks on DNS are either unnecessary in the long run or depend on practically no one ever using them. They are like the ad hoc schemes subscribers to this mailing list use to tunnel other protocols home. Any popular scheme that works around DNS, HTTP, ssh, etc. man-in-the-middle attacks that become popular will be blocked, proxied, or hijacked unless most users normally use tools that detect and refuse to work with men in the middle. If the browsers and stubb DNS servers of most users did DNSSEC, DANE, and HSTS, then any men in the middle will be obvious and won't be installed except for purposes that users tolerate including access point login, employment behind corporate firewalls, and living under authoritative regimes. In addition, those tunneling schemes will not unnecessary. To put it another way, if HTTP replaced IP as the Internet protocol without any real improvements in end to end security, then the censors and hijackers would apply their tools to HTTP. Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
