Skip to main content

Practically Secure DNS

Document Type Expired Internet-Draft (individual)
Expired & archived
Author Dr. Masataka Ohta
Last updated 2012-04-26 (Latest revision 2011-10-24)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


Plain DNS without PKI is secure, if a chain of query/response communications between a client and an authoritative server relayed by zero or more intermediate resolvers and the authoritative server and all the resolvers are secure. However, because of short (16bit) message ID, the communications composing the chain are not very secure without, or even with (port exhaustion attack is possible), source port randomization. Still, plain DNS can be made practically secure, if the client makes two queries with independent message IDs to an address of a server (a resolver or a name server) and confirm that two replies are identical.


Dr. Masataka Ohta

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)