I agree that DTLS does not solve any problems for DNS. The basic problem is that DTLS is still based around the notion of a session where the server stores per connection state. So you might as well use TLS for this application.
But TLS is not the only option available. Or rather using TLS to secure DNS is not the only option possible. If we use TLS to do a kerberos like key exchange, we can generate a shared secret and a ticket which can then be used to secure all future communications without changing from UDP. We can't run over port 53 (trust me, I tried). But we can nominate the ports to use in the key exchange setup. The resulting protocol works in about 93-98% of network situations (depending on how you measure). So you still need a Web Service backup. But it does work pretty well. On Wed, Apr 23, 2014 at 2:41 PM, Paul Vixie <p...@redbarn.org> wrote: > for reasons well-spoken up-thread, if we're going to add a dns > transport, i'd like it to be RFC 6013 style TCP (in which session > context can be compressed and retained after FIN for full-window-size > restart, and which permits the query to be bundled into the SYN packet), > or at a minimum, SCTP. > > DTLS does not solve any of the problems described at > <https://queue.acm.org/detail.cfm?id=2578510>. > > vixie > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Website: http://hallambaker.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
