On 1/18/2012 7:06 PM, W.C.A. Wijngaards wrote: > > this sounds very cool; is there an internet draft or tech note > > describing the protocol so that others may also implement this? > > It exists to bypass deep inspection firewalls, and it works. The plain > DNS format as you would use over TCP, but then on an SSL connection, so > its encrypted by SSLv3. Uses port number 443 (the https port, no other > use of that protocol, but then, because of SSL the firewall should not > be able to tell).
alas, DPI can tell the difference between HTTPS and TLS in a TCP/443 stream. (the Tor guys told me this.) > The SSL-certificates are there to make the SSL connection look legit to > the firewall. The DNSSEC inside the DNS wireformat provides > authentication. > > There could be a technote or draft for it, but really: TCP-style-DNS > inside SSL for transport. That should tell enough for an implementation? it's not enough. in particular, the order in which it's probed (compared to EDNS0 UDP, EDNS0 TCP, old style UDP, old style TCP) should be specified. the NS RRset gives no hint of the name server's capabilities. and the IETF definition of "interoperable" depends not just on independent implementations being able to talk to each other, but independent implementations both based on the same specification that can also talk to each other.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
