On Sun, 27 Sep 2015, Mukund Sivaraman wrote:
UDP has a header checksum that can notice message modification when in use. Sometimes this may be 0 if the sender host did not generate a checksum. This draft adds one in the application layer alongside a nonce known to the client. Together they are meant to thwart any possibility of different kinds of off-path cache-poisoning attacks.
There is other work happening that accomplishes the same. The DPRIVE work to add TLS and longlived TCP, the dns cookies, and of course DNSSEC itself. I don't really see the need to add another mechanism to help against non-DNSSEC spoofing attacks.
There are practical issues with TCP which are still currently prevelant: 1. The 3 way handshake doubles the number of roundtrips necessary before an answer is received.
But with clarifications like edns-tcp-keepalive, we are hoping that clients can keep TCP connections to resolvers open for much longer, so that TCP does not really have more overhead than UDP. This draft also does nothing for on-path attackers. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop