On Apr 23, 2014, at 8:42 AM, Dan Wing <[email protected]> wrote: > On Apr 23, 2014, at 7:26 AM, Paul Hoffman <[email protected]> wrote: > >> On Apr 23, 2014, at 6:47 AM, Dan Wing <[email protected]> wrote: >> >>> For discussion. >>> >>> DNS queries and responses are visible to network elements on the path >>> between the DNS client and its server. These queries and responses >>> can contain privacy-sensitive information which is valuable to >>> protect. An active attacker can send bogus responses causing >>> misdirection of the subsequent connection. >>> >>> To counter passive listening and active attacks, this document >>> proposes the use of Datagram Transport Layer Security (DTLS) for DNS, >>> to protect against passive listeners and certain active attacks. As >>> DNS needs to remain fast, this proposal also discusses mechanisms to >>> reduce DTLS round trips and reduce DTLS handshake size. The proposed >>> mechanism runs over the default DNS port and can also run over an >>> alternate port. >>> >>> http://tools.ietf.org/html/draft-wing-dnsop-dnsodtls >> >> This proposes to run a binary protocol (DTLS) over port 53. It says "A DNS >> client or server that does not implement this specification will not respond >> to the incoming DTLS packets because they don't parse as DNS packets (the >> DNS Opcode would be 15, which is undefined)." >> >> Has anyone run any tests against currently deployed recursive resolvers and >> authoritative servers to see what they do when sent the initial DTLS packet? > > Paul, > openssl s_client -dtls1 -connect 1.2.3.4:53 -debug > substituting 1.2.3.4 for the server you want to test, and in another window > do tcpdump port 53.
Sure. What were the results of your testing? --Paul Hoffman _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
