Hi,
it was not declared if this is intended for client-to-resolver DNS or
resolver-to-authoritative DNS. If the latter, it looks like just another
method of DoE, and like any of those, can be solvable (only?) by DELEG.
I'd like to see the direct comparison against DoQ. I understand that
this should be more lightweight. On the other hand, DoQ is already
invented and being implemented, with some hope to succeed. So I don't
feel motivated to look around for alternatives.
Libor
Dne 15. 08. 24 v 12:14 Peter Thomassen napsal(a):
Hi Vint,
On 8/15/24 00:06, Vint Joseph wrote:
The core idea/synopsis
We plan to implement a system using elliptic curve cryptography. A
preshared key, referred to as the public key G^S, is distributed from
the dns server to the client.
How?
Best,
Peter
The server retains the private key S and the corresponding public key
G^S, while the client receives the public key G^S. When the client
needs a DNS response, it generates a key pair consisting of a private
key C and a public key G^C. The client then sends a DNS request
encrypted with the shared key G^CS and includes its public key G^C in
the DNS extension. Upon receiving the public key G^C, the DNS server
computes the shared key G^CS using its private key S and the client's
public key G^C. These are ephemeral keys, ensuring that each DNS
packet has its own session keys. The DNS server responds to the DNS
query and sends the DNS response encrypted using G^CS. If the DNS
server plans to change the keys, then a public key G^S1 is sent to
the client , in the response packet. But these are optimizations
which can be done later.
Thank you and I'm looking forward to your feedback!
Best regards,
Vineeth
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
