On 28/04/2017 08:42, Daniel Kahn Gillmor wrote: > But does the non-predictability requirement hold in stream-based DNS, > where the establishment of the stream itself provides at least as good > protection against spoofed responses? If it holds in cleartext > stream-based DNS, does it also hold for encrypted, streamed DNS, where > the channel itself provides significantly *better* protection against > spoofed responses.
What if the stream is being unwrapped before it reaches the eventual destination, e.g. a hypothetical TLS endpoint that forwards the received queries over UDP ? Who's responsibility is it to make sure those forwarded queries can't be spoofed? It's a stretch, I know, but the point is to make us consider how removing security features might have unintended consequences upstream. Ray _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
