> It isn't quite that easy - TLS is a TCP protocol, so moving
> to it would
> prohibit the use of UDP in DNS. There isn't (yet) a UDP equivalent.


TransportLayer Security in a datagram protocol...

It would not take much to add TLS like functionality though, just add a key
exchange to the protocol, then use TSIG for authentication. If you need
confidentiality add an AES encryption envelope, just make sure you leave
enough useful information on the envelope.

It could be run over UDP without problems. The main challenge would be
avoiding DoS attack - although that can be mitigated by simply allowing use
of stale key material if the key server is unavailable.

Phill

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: