On Mar 7, 2007, at 3:00 PM, Harald Tveit Alvestrand wrote:
Here I was thinking that the DNS needs to be an useful name lookup
service for the Internet to function, and now PHB tells me it's a
signalling layer.
Either I have seriously misunderstood the nature of "signalling",
seriously misunderstood the nature of the DNS, or I have reason to
dislike this term.
*shudder*.
Perhaps signaling over simplifies the suggestion, and perhaps Philip
sees this differently as well.
Once IPv4 does not offer an identifier for defending against DoS
attack, a safe basis could be established with a two step approach
using DNS. Verify clients by "name" with a single DNS transaction.
This offers a safe identifier that avoids DoS concerns. These
identifiers can be subsequently authorized by "name" as well. DNS is
well suited to resolve a small answer by name.
One approach for "name" based authorization would place an encoded
hash label of the domain name being authorized within the authorizing
domain. Client validation can be as simple as resolving the name of
the client, where this name can then be utilized in conjunction with
a "name" based authorization. In the case of DKIM, DNS also supplies
the public key as well.
The concern was to avoid the indirect or reflected attacks DNS can
produce, where a simple strategy can avoid these problems.
-Doug
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf