The document talks about data origin authentication:
Verify that answers come from the selected DNS resolver
But then in S 5 concedes that maybe we have to consider only passive attackers:
When discovering DNS resolvers on a local network, clients have no
mechanism to distinguish between cases where an active attacker with
the above capabilities is interfering with discovery, and situations
wherein the network has no encrypted resolver. Absent such a
mechanism, an attacker can always succeed in these goals. Therefore,
in such circumstances, viable solutions for local DNS resolver
discovery should consider weaker attackers, such as those with only
passive eavesdropping capabilities. It is unknown whether such
relaxations represent a realistic attacker in practice. Thus, local
discovery solutions designed around this threat model may have
limited value.
But if you have a passive-only attacker, then data origin authentication is irrelevant. Which is it?
The text was updated successfully, but these errors were encountered:
The document talks about data origin authentication:
But then in S 5 concedes that maybe we have to consider only passive attackers:
But if you have a passive-only attacker, then data origin authentication is irrelevant. Which is it?
The text was updated successfully, but these errors were encountered: