James A. Donald wrote:


Attacks on DNS are common, though less common than other
attacks, but they are by scammers, not TLA agencies,
perhaps because they are so easily detected.

All logons should move to SRP to avoid the phishing
problem, as this is the most direct and strongest
solution for phishing for shared secrets, and phishing
for shared secrets is the biggest problem we now have.

Encrypting DNS is unacceptable, because the very large
number of very short messages make public key encryption
an intolerable overhead.  A DNS message also has to fit
in a single datagram.


IIRC, from following the development of SPF (which uses rather lengthy DNS data records). A DNS message that fits inside of a single datagram can be sent via UDP, but if it spills over, the DNS server has to setup a TCP connection.

So longer DNS messages are allowed, but they are either expensive (TCP vs UDP) or not supported by all implementations?

(Did I get that right?)

I do suspect at some point that the lightweight nature of DNS will give way to a heavier, encrypted or signed protocol. Economic factors will probably be the driving force (online banking).

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to