* bert hubert [2012-09-28 09:44]: > Hmmm for authoritative servers, we might also emit a CNAME "challenge". This > would be a needless and semantically null transition, but only a bona fide > resolver will come back to follow the CNAME trail. > > This allows us to test for two-way communications without using truncated > packets or TCP. > > We could encode the encrypt the correct destination in the CNAME, for A and > AAAA this is trivial. If you come back to resolve > encoded-12.32.43.43.attackeddomain.com, you get 12.32.43.43 etc. For extra > resilience encrypt it.
There has been recently a patent granted with this method: http://www.freepatentsonline.com/8261351.html Though they don't use it do decide about blocking, but use the CNAME challenge on every query, still providing a small amplification. This comes at the risk of running into resolver issues with NS or MX records... Regards, Matt -- Universität Duisburg-Essen Verteilte Systeme Bismarckstr. 90 / BC 316 47057 Duisburg
smime.p7s
Description: S/MIME Kryptografische Unterschrift
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
