NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Securing DNS traffic

>> Plus, of course, the outgoing queries from your recursor will
>> be in cleartext.
> OK, so I understand that root servers probably won't support
> TLS, but some authoritative servers may support TLS (aka
> ADoT). But I don't seem to find a way to tell unbound "use TLS
> opportunistically, wherever possible". Isn't there some record
> (similar to DNSSEC RRSIG) that tells unbound which servers
> actually support TLS?

Nope.  There is no specified protocol to direct recursive
resolution to use TLS towards specific authoritative servers.
There has been talk about this on the DNSOP IETF working group,
but nothing has been agreed.  This means that the queries from a
recursive resolver to authoritative name servers will be in
cleartext, typically using UDP, may (try to) use TCP in case of

Personally, I think that the proposal which was floated didn't
feel right to me, and I think the deployment considerations had
not been sufficiently thought through.


- Håvard

Home | Main Index | Thread Index | Old Index