On Oct 3, 2012, at 6:38 AM, Vernon Schryver <[email protected]> wrote:
>> From: Tony Finch <[email protected]> >> To: Paul Vixie <[email protected]> > >> Paul Vixie <[email protected]> wrote: >>> >>> in <http://www.ietf.org/mail-archive/web/dnsext/current/msg11700.html> i >>> was thinking that we'd add "send chain" as an edns option, and then add > >> I like this plan. > > All of those DNS tunneling, triggering, alternate port, and other > varient protocol schemes for dealing with hotels and public access > points attacks on DNS are either unnecessary in the long run or depend > on practically no one ever using them. They are like the ad hoc schemes > subscribers to this mailing list use to tunnel other protocols home. > > Any popular scheme that works around DNS, HTTP, ssh, etc. > man-in-the-middle attacks that become popular will be blocked, > proxied, or hijacked unless most users normally use tools that > detect and refuse to work with men in the middle. > > If the browsers and stubb DNS servers of most users did DNSSEC, DANE, > and HSTS, then any men in the middle will be obvious and won't be > installed except for purposes that users tolerate including access > point login, employment behind corporate firewalls, and living under > authoritative regimes. In addition, those tunneling schemes will not > unnecessary. > > To put it another way, if HTTP replaced IP as the Internet protocol > without any real improvements in end to end security, then the > censors and hijackers would apply their tools to HTTP. I fully agree with all of this, but it leaves the question: what about tunneling DNS in TLS-over-HTTP? The earlier statement about why this would not work (corporations getting MITM certificates from bad actors in the root pile) doesn't actually apply because the client will have a single TLS trust anchor, possibly even one not even in the root pile. --Paul Hoffman _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
