On Fri, Oct 24, 2014 at 1:57 AM, Watson Ladd <[email protected]> wrote:
> > I validated DJB's claims about the amplification potential of DNSSEC: > he gave a dig command, and sure enough, the response is many times > bigger than the query. The claims about performance are misleadingly > slow: at the cost of a 48 byte key, performance can be doubled on > commodity hardware. By contrast, claims that CPU load on DNS servers > will increase prohibitively with DNSCurve performance have been made > consistently over 8 years, with no evidence that they have been > updated or marked to market with increasingly fast CPU speeds. > > > Regardless of how fast you make ECC, the server has to do a lot more effort than a DoS client sending garbage. The DoS and amplification attacks are the reasons why I believe that whatever mechanism we choose needs to authenticate requests and only respond if the request is 'sufficiently' authentic. The way that I got to PrivateDNS was that I started with DNSCurve and pulled the key exchange out of the request/response loop so that public key negotiation was a separate one-time operation resulting in a shared secret and a kerberos ticket like identifier. Then rather than roll my own key exchange, I leveraged the existing TLS library as an option. Separating the key exchange from the packaging protocol means that it is much easier to adapt to different use cases like really constrained devices, etc. I can put the key exchange on a different machine and just install the ticket/secret onto the lightswitch/stepper motor driver/whatever.
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
