Vernon Schryver <[email protected]> wrote: > Tony Finch <[email protected]> wrote: > > Paul Vixie <[email protected]> wrote: > > > > > > in <http://www.ietf.org/mail-archive/web/dnsext/current/msg11700.html> i > > > was thinking that we'd add "send chain" as an edns option, and then add > > > I like this plan. > > All of those DNS tunneling, triggering, alternate port, and other > varient protocol schemes for dealing with hotels and public access > points attacks on DNS are either unnecessary in the long run or depend > on practically no one ever using them.
You are right about dicking around with port numbers and TLS or HTTP framing. However the "send chain" EDNS option would be a widely useful operation for validating stubs. A stub validator could perhaps send DS and DNSKEY queries for all the truncated versions of the name between the target name and the root, which it would have to do concurrently to avoid latency pain, but then it will have to iterate this to deal with CNAME and/or DNAME chains. The recursor has already done all the work so it would be nice to get all the results back in one go. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
