On Apr 23, 2014, at 6:47 AM, Dan Wing <[email protected]> wrote: > For discussion. > > DNS queries and responses are visible to network elements on the path > between the DNS client and its server. These queries and responses > can contain privacy-sensitive information which is valuable to > protect. An active attacker can send bogus responses causing > misdirection of the subsequent connection. > > To counter passive listening and active attacks, this document > proposes the use of Datagram Transport Layer Security (DTLS) for DNS, > to protect against passive listeners and certain active attacks. As > DNS needs to remain fast, this proposal also discusses mechanisms to > reduce DTLS round trips and reduce DTLS handshake size. The proposed > mechanism runs over the default DNS port and can also run over an > alternate port. > > http://tools.ietf.org/html/draft-wing-dnsop-dnsodtls
This proposes to run a binary protocol (DTLS) over port 53. It says "A DNS client or server that does not implement this specification will not respond to the incoming DTLS packets because they don't parse as DNS packets (the DNS Opcode would be 15, which is undefined)." Has anyone run any tests against currently deployed recursive resolvers and authoritative servers to see what they do when sent the initial DTLS packet? --Paul Hoffman _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
