Hi, all, I think it's better that this draft contains some solution about the client authentication to decrease/avoid the DoS attack. But it's really not the focus of this draft. In order to solve this problem, many other schemes can be used, such as DHCP, SAVI and DANE. Anyway, this draft can make use of them to authenticate the client.
Best Regards, Zhiwei Yan > 在 2015年3月20日,上午12:02,Paul Wouters <p...@nohats.ca> 写道: > >> On Thu, 19 Mar 2015, W.C.A. Wijngaards wrote: >> >> Could perhaps a different algorithm, like ED25519, provide better >> performance, and would that performance then be adequate? > > Different algorithms differ in performance how much? A factor 2? Maybe > 10? Compared to a botnet, I don't think that it is very relevant at all. > >> The draft allows negotiation of a symmetric key so normally a lot of >> asymmetric operations can be avoided by the use of a cache. >> >> For a cookie mechanism, there is the cookie draft from Eastlake and >> Andrews. > > Demanding source ip verification before allowing crypto seems a very > good idea with no real impact other than rejecting spoofed IPs or > old clients - and old clients won't support crypto anyway. > > Paul > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
