On Wed, 25 Mar 2015, Viktor Dukhovni wrote:
It makes NO difference what protocol is used to find the address
-> key mapping. Using something other than DNS just makes it easier
to rate control clients, because they are not proxied by their
ISP's DNS cache.
You mean it makes it easier to DDOS with a botnet. Either it will
be some UDP protocol with no state, vulnerable to spoofing, or
it will be some TCP protocol with state, vulnerable to resource
starvation.
Attacks will just take out the oracle to induce plaintext, or will
spoof causing a lockout of real clients inducing those end up using
plaintext.
On the other hand, I think that a lookup service that takes an address
and returns a key would be workable. Yeah, spammers will try to
scrape addresses from it, but it's the same attack as RCPT TO probing
and we have workable defenses against that.
Actually, for the spammer, the DNS is a more attractive oracle,
because queries are cheaper and proxied by ISP caches.
Recursors and Authoritative servers supporting OPENPGPKEY or SMIME could
rate limit the sending of NSEC3 chains if there are too requests for
non-existing records - causing them to need to go back to the current
RCPT TO practise.
Paul
_______________________________________________
dane mailing list
dane@ietf.org
https://www.ietf.org/mailman/listinfo/dane
