On 7/30/2010 9:02 AM, Lindqvist Kurt Erik wrote: > > On 28 jul 2010, at 07.50, Mikael Abrahamsson wrote: > >> On Wed, 28 Jul 2010, Yaakov Stein wrote: >> >>> Yes, the symmetric key stuff is now done in hardware >>> but the public key part for authentication is still done in software. >>> And due to interactions between the software and hardware, >>> requesting authentications can slow down other existing timing flows. >> >> What about just signing it the way it's done in DNSSEC, ie you have >> a certificate/key and each packet is signed before being sent out? > > Many (all) DNSSEC responses are TCP or hand-shake.
<DNS Hat> That is absolutely untrue. DNSSEC uses UDP and EDNS0 and only falls back to TCP if it cannot fit the responses in the packet size. EDNS0 signals what packet size to use. See the RFC403x RFC's. > You really don't want to authenticate clients at the server as that is an > easy way to construct a DDoS attack, Agreed. > just as you can with NSEC3 for DNSSEC. No, that is not possible. NSEC3 is about (non)existence proofs of a RR in a zone, and is just used in a response to a request. </DNS hat> The otherway (which I think we in Paris also agreed was the most common use case), having a client authenticate a server is different though and can be made to scale (I think that is what you are suggesting above). Yes. Danny _______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
