Status of opportunistic encryption
Thomas Harold
tgh at tgharold.com
Sun Jun 4 11:03:35 EDT 2006
James A. Donald wrote:
>
> Attacks on DNS are common, though less common than other
> attacks, but they are by scammers, not TLA agencies,
> perhaps because they are so easily detected.
>
> All logons should move to SRP to avoid the phishing
> problem, as this is the most direct and strongest
> solution for phishing for shared secrets, and phishing
> for shared secrets is the biggest problem we now have.
>
> Encrypting DNS is unacceptable, because the very large
> number of very short messages make public key encryption
> an intolerable overhead. A DNS message also has to fit
> in a single datagram.
>
IIRC, from following the development of SPF (which uses rather lengthy
DNS data records). A DNS message that fits inside of a single datagram
can be sent via UDP, but if it spills over, the DNS server has to setup
a TCP connection.
So longer DNS messages are allowed, but they are either expensive (TCP
vs UDP) or not supported by all implementations?
(Did I get that right?)
I do suspect at some point that the lightweight nature of DNS will give
way to a heavier, encrypted or signed protocol. Economic factors will
probably be the driving force (online banking).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list