In message <[email protected]>, Tony Fi nch writes: > Vernon Schryver <[email protected]> wrote: > > Tony Finch <[email protected]> wrote: > > > Paul Vixie <[email protected]> wrote: > > > > > > > > in <http://www.ietf.org/mail-archive/web/dnsext/current/msg11700.html> > i > > > > was thinking that we'd add "send chain" as an edns option, and then add > > > > > I like this plan. > > > > All of those DNS tunneling, triggering, alternate port, and other > > varient protocol schemes for dealing with hotels and public access > > points attacks on DNS are either unnecessary in the long run or depend > > on practically no one ever using them. > > You are right about dicking around with port numbers and TLS or HTTP > framing. However the "send chain" EDNS option would be a widely useful > operation for validating stubs. > > A stub validator could perhaps send DS and DNSKEY queries for all the > truncated versions of the name between the target name and the root, which > it would have to do concurrently to avoid latency pain, but then it will > have to iterate this to deal with CNAME and/or DNAME chains. The recursor > has already done all the work so it would be nice to get all the results > back in one go. > > Tony.
You very soon run into message size limits which is one of the reasons we don't send DNSKEY as additional data today. There is no need for this option. Just open a TCP connection and send the series of DNSKEY and DS queries required to validate the answer assuming there is delegation between each label. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
