On Apr 23, 2014, at 7:26 AM, Paul Hoffman <[email protected]> wrote:
> On Apr 23, 2014, at 6:47 AM, Dan Wing <[email protected]> wrote: > >> For discussion. >> >> DNS queries and responses are visible to network elements on the path >> between the DNS client and its server. These queries and responses >> can contain privacy-sensitive information which is valuable to >> protect. An active attacker can send bogus responses causing >> misdirection of the subsequent connection. >> >> To counter passive listening and active attacks, this document >> proposes the use of Datagram Transport Layer Security (DTLS) for DNS, >> to protect against passive listeners and certain active attacks. As >> DNS needs to remain fast, this proposal also discusses mechanisms to >> reduce DTLS round trips and reduce DTLS handshake size. The proposed >> mechanism runs over the default DNS port and can also run over an >> alternate port. >> >> http://tools.ietf.org/html/draft-wing-dnsop-dnsodtls > > This proposes to run a binary protocol (DTLS) over port 53. It says "A DNS > client or server that does not implement this specification will not respond > to the incoming DTLS packets because they don't parse as DNS packets (the DNS > Opcode would be 15, which is undefined)." > > Has anyone run any tests against currently deployed recursive resolvers and > authoritative servers to see what they do when sent the initial DTLS packet? Paul, openssl s_client -dtls1 -connect 1.2.3.4:53 -debug substituting 1.2.3.4 for the server you want to test, and in another window do tcpdump port 53. -d _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
