Hi Paul On Mon, Sep 28, 2015 at 10:19:20AM -0700, Paul Hoffman wrote: > Paul's "no" (which I agree with) shows what might be a fatal flaw in
Even if Paul had said "yes", this security consideration still exists (see below). The reason why I sent the EDNS option handling email was because it sometimes is not apparent with newer options if it was left out because there was no support, or because of some other condition. > draft-muks-dnsop-dns-message-checksums: an attacker just needs to send > fragments that look like they say "I don't understand the new EDNS0 option". > Does that make sense? I really appreciate the sharp review. This was also pointed out by Ray Bellis during internal review. It is listed in the github repo under security considerations. The latest version of this draft in text form is here: http://users.isc.org/~muks/draft-muks-dnsop-dns-message-checksums.txt As with any new protocol, if the protocol is not supported on both ends, nothing can be done for it. The SHOULDs turn to MUSTs at some point when support is widespread. Currently it's the client's choice on what action to take if the option is missing from a reply. Mukund
pgpsmkO5Y5tXR.pgp
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
