On Thu, Apr 23, 2009 at 06:32:38PM +0800, i),h?* wrote:
> Hi, folks.
>
> As we all know, DNSSEC provides origin authentication and integrity assurance
> services for DNS data exchanged between DNS resolver and name-sever, while
> DNSSEC fails to give a means by which the DNS queries or responses
> transmitted between a host and a recursive server could be guaranteed
> integrity and authentication. For example, a malicious attacker might hijack
> the DNS query form a host and fake a response which will help he commit
> phishing. So I wonder, is there someone having a certain solution, more
> exactly a software implementation on host, to protect against such attack?
>
> 2009-04-23
>
> m...@cnnic.cn
As mentioned elsewhere, TSiG, GSS-TSiG, and IPSEC are all forms of channel
security. The
unfortunate truth is, these are unwieldy when managing large numbers of
connections. for a
slightly more scaleable solution, you might consider SIG(0). - All of these
are defined in
RFC's and there are several interoperable implementations.
Other channel security ideas that are floating around (but have nto gained
traction in the
IETF or market) are:
EDNS-PING
DNS-CURVE
--bill
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
