On Apr 23, 2014, at 6:47 AM, Dan Wing <d...@danwing.org> wrote: > For discussion. > > DNS queries and responses are visible to network elements on the path > between the DNS client and its server. These queries and responses > can contain privacy-sensitive information which is valuable to > protect. An active attacker can send bogus responses causing > misdirection of the subsequent connection. > > To counter passive listening and active attacks, this document > proposes the use of Datagram Transport Layer Security (DTLS) for DNS, > to protect against passive listeners and certain active attacks. As > DNS needs to remain fast, this proposal also discusses mechanisms to > reduce DTLS round trips and reduce DTLS handshake size. The proposed > mechanism runs over the default DNS port and can also run over an > alternate port. > > http://tools.ietf.org/html/draft-wing-dnsop-dnsodtls
a: With the need to do all the handshaking, you gain only a little from doing dTLS over UDP rather than TLS over TCP. So why use UDP with all its headaches? Just use TCP and conventional TLS rather than DTLS, especially when you are talking about mucking with the handshake. b: DO NOT USE PORT 53 for this: There are far far too many networks (1%+) that reinterpret DNS requests or just outright block all DNS to non-approved servers, and more still which block non-DNS over DNS. -- Nicholas Weaver it is a tale, told by an idiot, nwea...@icsi.berkeley.edu full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
