Re: Securing DNS traffic

To: cryintothebluesky%gmail.com@localhost
Subject: Re: Securing DNS traffic
From: Havard Eidnes <he%NetBSD.org@localhost>
Date: Sun, 24 May 2020 11:00:00 +0200 (CEST)

>> Plus, of course, the outgoing queries from your recursor will
>> be in cleartext.
>
> OK, so I understand that root servers probably won't support
> TLS, but some authoritative servers may support TLS (aka
> ADoT). But I don't seem to find a way to tell unbound "use TLS
> opportunistically, wherever possible". Isn't there some record
> (similar to DNSSEC RRSIG) that tells unbound which servers
> actually support TLS?

Nope.  There is no specified protocol to direct recursive
resolution to use TLS towards specific authoritative servers.
There has been talk about this on the DNSOP IETF working group,
but nothing has been agreed.  This means that the queries from a
recursive resolver to authoritative name servers will be in
cleartext, typically using UDP, may (try to) use TCP in case of
truncation.

Personally, I think that the proposal which was floated didn't
feel right to me, and I think the deployment considerations had
not been sufficiently thought through.

Regards,

- Håvard

Follow-Ups:
- Re: Securing DNS traffic
  - From: Sad Clouds

References:
- Re: Securing DNS traffic
  - From: Jeffrey Walton
- Re: Securing DNS traffic
  - From: Havard Eidnes
- Re: Securing DNS traffic
  - From: Sad Clouds

Prev by Date: Re: Securing DNS traffic
Next by Date: Small artifacts in intel video driver and uxa mode
Previous by Thread: Re: Securing DNS traffic
Next by Thread: Re: Securing DNS traffic
Indexes:

Home | Main Index | Thread Index | Old Index