Practically Secure DNS
draft-ohta-practically-secure-dns-00
Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
---|---|---|---|
Author | Dr. Masataka Ohta | ||
Last updated | 2012-04-26 (Latest revision 2011-10-24) | ||
RFC stream | (None) | ||
Intended RFC status | (None) | ||
Formats | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | Expired | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
Plain DNS without PKI is secure, if a chain of query/response communications between a client and an authoritative server relayed by zero or more intermediate resolvers and the authoritative server and all the resolvers are secure. However, because of short (16bit) message ID, the communications composing the chain are not very secure without, or even with (port exhaustion attack is possible), source port randomization. Still, plain DNS can be made practically secure, if the client makes two queries with independent message IDs to an address of a server (a resolver or a name server) and confirm that two replies are identical.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)