[dns-privacy] Encrypt the signalings between stub and recursive resolvers under UDP

Tue, 10 Mar 2015 20:25:57 -0700 

Hi, All,
I have a simple idea to support the encryption of the signalings between stub 
and recursive resolvers under UDP.
My solution is based on asymmetric encryption scheme and the main points are as 
following: 
   o Firstly, the stub resolver and recursive resolver should generate
      an asymmetric key pair respectively and we denote then as KEY-S
      and KEY-R.  For the KEY-S, the private key is denoted as KEY-S-pub
      and the public key is denoted as KEY-S-pri.  Similarly, for the
      KEY-R, the private key is denoted as KEY-R-pub and the public key
      is denoted as KEY-R-pri.
   o In order to publish the public key of recursive resolver, KEY-
      R-pub can be included in an option of DHCP message or in the RR of
      DNS following DANE protocols.  Anyway, the stub resolver should
      learn the KEY-R-pub during its bootstrap phase and update it
      securely and easily.
   o When the stub resolver sends DNS request message to the recursive
      resolver, the KEY-S-pub should be contained in this message.
      Besides, the DNS request message is encrypted by the KEY-R-pub.
   o After receiving the DNS request message, the recursive resolver
      decrypts the message with KEY-R-pri.  Then the recursive resolver
      records the information in the DNS request message, including the
      KEY-S-pub.
   o When the recursive resolver replies to the stub resolver, it
      encrypts the DNS response message with KEY-S-pub.
  
   Because the DNS request message sent from stub resolver to recursive
   resolver is encrypted by the public key of the recursive resolver,
   only the corresponding recursive resolve can decrypt that DNS request
   message.  In opposite, because the DNS response message sent from
   recursive resolver to stub resolver is encrypted by the public key of
   the stub resolver, only the corresponding stub resolver can decrypt
   that DNS response message.  In this way, the privacy of the exchanged
   messages between stub and recursive resolvers can be guaranteed.

I just want to get some comments from you. 
If you think this solution makes sense, the draft will be published after the 
IETF meeting.
BR,
Zhiwei Yan


2015-03-11

<<attachment: yanzhiwei(2).vcf>>

_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Reply via email to