> On May 3, 2017, at 9:39 PM, Colm MacCárthaigh <c...@allcosts.net> wrote:
>
> As it happens, DNS queries are not idempotent. Queries have side-effects,
This is sufficiently misleading to be false.
> for example Bind9 will rotate an RRset by one increment on each query.
Regardless of who the client is, the "attacker" can rotate the RRset
order by making his own query, no need to impersonate some other client.
And of course randomization of RRs in an RRset is normal. Some clients
further randomize or re-order the results.
> Many providers charge by the DNS query.
They don't charge the client, which remains unauthenticated. Hosted
DNS domains may be charged by query volume, but again the attacker
can make his own queries without replaying traffic from some other
client.
> Many providers throttle DNS queries (and TLS is intended as a mechanism
> to help prevent the ordinary spoof ability of DNS queries).
Again the client is unauthenticated, throttling is by IP address, there's
no need to repeat the same payload, indeed that's less effective since
throttling is biased towards queries for non-existent names, ...
Throttling is mostly for UDP, for lack of BCP-38 implementation. DNS
over TLS *is* a good candidate for 0-RTT. [ I would have chosen a more
simple protocol for DNS security than TLS, but given that DNS over TLS
seems to be moving forward, 0-RTT makes sense. ]
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
