On Mon, Sep 28, 2015 at 9:53 PM, Mukund Sivaraman wrote:
> Hi Paul
>
> On Mon, Sep 28, 2015 at 02:36:25PM -0400, Paul Wouters wrote:
> > On Mon, 28 Sep 2015, Paul Vixie wrote:
> >
> > >those things should also be done in the short term.
> > >
> > >but it's the internet. it'll
Hi Paul
On Mon, Sep 28, 2015 at 02:36:25PM -0400, Paul Wouters wrote:
> On Mon, 28 Sep 2015, Paul Vixie wrote:
>
> >those things should also be done in the short term.
> >
> >but it's the internet. it'll outlive us all. we ought to have a long
> >term plan as well.
>
> It's called DNSSEC.
Zone
Hi Robert
On Mon, Sep 28, 2015 at 02:20:04PM -0400, Robert Edmonds wrote:
> Mukund Sivaraman wrote:
> > Hi Robert
> >
> > On Mon, Sep 28, 2015 at 01:30:28PM -0400, Robert Edmonds wrote:
> > > 16 bits is an awful lot of space for the ALGORITHM field. Compare to
> > > the DNSSEC algorithm number
On Tue, 29 Sep 2015, Mukund Sivaraman wrote:
On the other hand, DNSSEC requires signatures for each RRset bloating messages
Just like TLS is bloating HTTP? :)
Anyway, I'll explain with an example why DNSSEC is not sufficient to
protect against DNS message modifications. Assume a company
Hi Paul
On Tue, Sep 29, 2015 at 01:33:57AM -0400, Paul Wouters wrote:
> On Tue, 29 Sep 2015, Mukund Sivaraman wrote:
>
> >On the other hand, DNSSEC requires signatures for each RRset bloating
> >messages
>
> Just like TLS is bloating HTTP? :)
TLS and HTTP are irrelevant here, no? The bloat by
Mukund Sivaraman wrote:
> Hi Paul
>
> On Mon, Sep 28, 2015 at 10:39:04AM -0400, Paul Wouters wrote:
>> On Sun, 27 Sep 2015, Mukund Sivaraman wrote:
>>
>>> UDP has a header checksum that can notice message modification when in
>>> use. Sometimes this may be 0 if the sender host did not generate a
On Mon, Sep 28, 2015 at 09:56:38AM -0700, Paul Vixie wrote:
> so i think there's good cause to add a DNS-level checksum even as we add
> DNS-level cookies.
+1
I would prefer to use checksum and cookies in parallel rather than have
the checksum option recapitulate cookie functionality, though.
Robert Edmonds wrote:
> ...
>
> I am also curious why a cryptographic hash function (SHA-1) is needed
> for this. Is a fast non-cryptographic checksum not suitable (e.g.,
> CRC-32C, which can be computed in hardware on x86 CPUs)?
in currently theorized attacks, the udp checksum is fooled by
Hi Robert
On Mon, Sep 28, 2015 at 01:30:28PM -0400, Robert Edmonds wrote:
> 16 bits is an awful lot of space for the ALGORITHM field. Compare to
> the DNSSEC algorithm number field, which is only 8 bits.
Do you suggest changing it to 8 bits too?
Mukund
pgpB1vCaaZvZT.pgp
On 28 Sep 2015, at 11:25, Paul Vixie wrote:
Robert Edmonds wrote:
...
I am also curious why a cryptographic hash function (SHA-1) is needed
for this. Is a fast non-cryptographic checksum not suitable (e.g.,
CRC-32C, which can be computed in hardware on x86 CPUs)?
in currently theorized
On Mon, 28 Sep 2015, Paul Vixie wrote:
those things should also be done in the short term.
but it's the internet. it'll outlive us all. we ought to have a long
term plan as well.
It's called DNSSEC.
Paul
___
DNSOP mailing list
DNSOP@ietf.org
Mukund Sivaraman wrote:
> This is a new draft on DNS message checksums. I look forward to hearing
> review comments.
Hi, Mukund:
16 bits is an awful lot of space for the ALGORITHM field. Compare to
the DNSSEC algorithm number field, which is only 8 bits.
--
Robert Edmonds
Mukund Sivaraman wrote:
> Hi Robert
>
> On Mon, Sep 28, 2015 at 01:30:28PM -0400, Robert Edmonds wrote:
> > 16 bits is an awful lot of space for the ALGORITHM field. Compare to
> > the DNSSEC algorithm number field, which is only 8 bits.
>
> Do you suggest changing it to 8 bits too?
If you
On Sun, 27 Sep 2015, Mukund Sivaraman wrote:
UDP has a header checksum that can notice message modification when in
use. Sometimes this may be 0 if the sender host did not generate a
checksum. This draft adds one in the application layer alongside a nonce
known to the client. Together they are
Hi Paul
On Mon, Sep 28, 2015 at 10:39:04AM -0400, Paul Wouters wrote:
> On Sun, 27 Sep 2015, Mukund Sivaraman wrote:
>
> >UDP has a header checksum that can notice message modification when in
> >use. Sometimes this may be 0 if the sender host did not generate a
> >checksum. This draft adds one
On Sun, Sep 27, 2015 at 12:45:52AM +0530, Mukund Sivaraman wrote:
> > Abstract:
> >This document describes a method for a client to be able to verify
> >that IP-layer PDU fragments of a UDP DNS message have not been
> >spoofed by an off-path attacker.
The NONCE-COPY field seems
Hi Paul
I'm CC'ing this reply to the dnsop@ list as it is relevant info for
others to read too. So I've not quoted your email.
UDP has a header checksum that can notice message modification when in
use. Sometimes this may be 0 if the sender host did not generate a
checksum. This draft adds one
Hi everybody
On Sat, Sep 26, 2015 at 12:10:09PM -0700, internet-dra...@ietf.org wrote:
>
> A new version of I-D, draft-muks-dns-message-checksums-00.txt
> has been successfully submitted by Mukund Sivaraman and posted to the
> IETF repository.
>
> Name: draft-muks-dns-message-checksums
18 matches
Mail list logo