TLS, by Mehrab Monjur

TLS

The Transport Layer Security is a handshake protocol to secure the session between a client and a server .Using public/private key pair it helps authentication of the server and optionally, the client. It does the key suite negotiation and uses symmetric encryption mechanism to securely exchange data.

SMTP over TLS

In the stak layer TLS sits between TCPUser and TCP Provider. SMTP is an user where TCP is a provider. So, there is no problem using TLS for application layer protocols and those that works over TCP such as HTTP, or SMTP.

DNS over TLS!!!

In a web site[1] their advertisement says, “One of the recent additions to SSL/TLS family of protocols is Datagram TLS ( DTLS ), which is very similar to TLS. DTLS is used to protect UDP-based or other message-based network commun -ications such as stream audio and video delivery. SSLBlackbox is one of the few solutions to provide client-side and server-side DTLS support” Now, such DTLS can surely sit between DNS Provider and UDP Provider.

TLS believes that its transport layer is reliable and moreover, without handshaking and negotiation of keys there is no secure channel for sure. So to add TLS over UDP came DTLS. Already there is available DTLS implementation using OpenSSL. Even more so: ”OpenVPN has already implemented a reliability layer on top of UDP for a TLS handshake. Have you looked at this approach?”[4]

Here is another insight to solve the problem:” We considered a similar approach when we designed DTLS (2 years ago now...) but ultimately concluded that application-level timeouts and retransmission was a simpler and more straight forward solution”[4].

Again it is important to note that there is a tradeoff between security and performance and if security for DNS is really needed. In the first place security was not addressed. Now there is an on going research on DNSSEC[2]. DNSSEC can help resolvers to address their security concerns in their query and can ask DNS servers to provide them authentic data. RFC 4035 [3] addresses protocol modification for DNSSEC:”The DNS Security Extensions are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. This document describes the DNSSEC protocol modifications”[3].

Finally, I can safely say that is not a straight forward way to use DNS over TLS but some twick on the part of TLS and how UDP will work with it can surely make way for using DNS over TLS.

References

1. http://www.eldos.com/sbb/desc-ssl.php?referer1=google&referer2=adwords_dtls_general&gclid=CMH8o7yEqpICFQmkHgodLGrCMQ

2. http://www.dnssec.net/

3. http://www.rfc-archive.org/getrfc.php?rfc=4035

4. http://www.educatedguesswork.org/movabletype/archives/2004/12/dtls_comes_to_r.html