Mukund Sivaraman wrote: > Hi Paul > > On Mon, Sep 28, 2015 at 10:39:04AM -0400, Paul Wouters wrote: >> On Sun, 27 Sep 2015, Mukund Sivaraman wrote: >> >>> UDP has a header checksum that can notice message modification when in >>> use. Sometimes this may be 0 if the sender host did not generate a >>> checksum. This draft adds one in the application layer alongside a nonce >>> known to the client. Together they are meant to thwart any possibility >>> of different kinds of off-path cache-poisoning attacks. >> There is other work happening that accomplishes the same. The DPRIVE >> work to add TLS and longlived TCP, the dns cookies, and of course >> DNSSEC itself. I don't really see the need to add another mechanism to >> help against non-DNSSEC spoofing attacks. > > DNS cookies do not protect against IP fragmentation - they do not check > the message contents. These same things above can be said for DNS > cookies too. This draft intends to provide a method without the use of > additional roundtrips.
noone has ever regretted adding an end-to-end checksum to any system. many have regretted trusting the lower-level network to deliver things perfectly. so i think there's good cause to add a DNS-level checksum even as we add DNS-level cookies. for extra credit, make it work on IXFR and AXFR as well (for the whole session, not just per-message.) -- Paul Vixie _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
