ietf
[Top] [All Lists]

Re: Practical issues deploying DNSSEC into the home.

2013-09-10 16:14:19
I faced this problem in Omnibroker.

One answer is that DNS is an infrastructure for resolving Internet labels
to Internet resources including IP addresses. It is thus the only Internet
infrastructure where infrastructure providers may reasonably be expected to
maintain long term IP addresses by nature of their function.


So in omnibroker, the idea is that it is a protocol to replace the
communication between a client and a recursive resolver. This allows the
addition of security features that are essential in the client-resolver
loop that the DNS protocol does not provide and it is pointless to attempt
to add.

For example, mutual authentication. If the DNS resolver is going to do
recursive resolution and DNSSEC validation then it had better validate the
clients from which it accepts queries or it will get DoS attacked very
quickly.

To support the mutual auth between the omnibroker client and service I
establish a context that consists of a set of services which each specify
an IP address, port and shared secret.

This means that it is very easy to support an authenticated 'time check'
protocol. For cryptographic purposes we don't particularly care about the
clocks being synchronized to better than a minute.