DNSSEC focuses on authenticating traffic between the resolver and
the nameserver but doesn't address the security of traffic between
the stub and the resolver. It is generally impractical for a stub
to set the DO bit and re-validate DNSSEC signatures because of the
lack of a chain of trust. Determining and validating the chain of
trust from a stub would invalidate the need for a resolver.
DNSCrypt is a mechanism for securing data between the stub and the
resolver. The stub queries through a local DNSCrypt proxy that is
configured with the public key fingerprint of the resolver, encrypting
and authenticating all traffic to/from the resolver. Assuming a
DNSSEC validating resolver, and assuming the application connection
to the DNSCrypt proxy can be trusted, this secures the entire DNS
This talk looks into how the DNSCrypt proxy works, what the benefits
are and the cost of deploying it in terms of CPU and data overheads.
Postponement (Please leave blank)
- Happy to present at the OARC 33 scheduled for September in Milan, although dependent on the travel situation come September.
- Failing that, happy to present at OARC 34 or at a virtual OARC or mini-OARC.
This talk looks into how the DNSCrypt proxy works, what the benefits are and the cost of deploying it in terms of CPU and data overheads.
|Talk Duration||20 minutes|