On Wed, Apr 15, 2015 at 09:08:44AM -0400,
Warren Kumari war...@kumari.net wrote
a message of 35 lines which said:
3) TLS for DNS: Initiation and Performance Considerations:
http://datatracker.ietf.org/doc/draft-hzhwm-dprive-start-tls-for-dns/
I think it should be adopted because:
* It
One issue brought up by Phillip Hallam-Baker during the Dallas meeting was
anycast. With any approach encrypting the query, the server needs the
cryptographic context to decrypt the query. Transferring that cryptographic
context from the other anycasted server is difficult at scale, so
I didn’t mention this before but since you ask…
I wrote a DNS server from scratch as a DNS Hybrid Proxy (DNS-SD). It was UDP
only. I wanted to add TLS support so I first added TCP on the Thursday of IETF
in about 7 hours (no meetings I was interested in). Then I added TLS support on
top of TCP
I agree that DNSCurve is the best solution. Many of the proponents of
TLS based solution haven't adequately considered how this affects
anycast, DOS resistance, etc. Confidential-DNS can only be fixed by
essentially becoming DNSCurve.
It's clear that deployed, working solutions need to be
On Apr 22, 2015, at 10:15 AM, Dan Wing dw...@cisco.com wrote:
One issue brought up by Phillip Hallam-Baker during the Dallas meeting was
anycast. With any approach encrypting the query, the server needs the
cryptographic context to decrypt the query. Transferring that cryptographic
On Wed, Apr 22, 2015 at 10:15 AM, Dan Wing dw...@cisco.com wrote:
During the DPRIVE meeting in Dallas, several questions came up about UDP
versus TCP. We had previously submitted a DNS over DTLS document which
predated DPRIVE. We re-submitted the document with a few edits and a
filename