On Wed, 25 Mar 2015, Nico Williams wrote:
On Wed, Mar 25, 2015 at 02:34:01PM -0400, Paul Wouters wrote:
If the lookup service is on port X, and the attacker blocks port X, you
do not know whether there is a service interruption or an active attack.
How is that different from the attacker blocking DNS?
We have a security policy for "indeterminate" and "bogus". That is, we
know we are under attack. Having a TCP connection just "not work" does
not have that property.
Additionally, DNSSEC as a transport has a much better penetration rate
than a new auxiliary protocol on a new unknown port.
Additionally, an SMTP extension using port 25 is out because many ISP's
do not allow you to connect to port 25 on the internet and force you to
go through their port 25 instead.
Paul
_______________________________________________
dane mailing list
dane@ietf.org
https://www.ietf.org/mailman/listinfo/dane
