[nsd-users] DoT on the Auth side?
Anand Buddhdev
anandb at ripe.net
Fri Mar 15 10:10:48 UTC 2019
Hi Fredrik,
DoT is most useful between stub resolvers and their upstream recursive
resolvers, because this is the path that is most often snooped and
mangled by men-in-the-middle.
NSD is an authoritative DNS server, so its clients are going to be
regular recursive resolvers. While DoT would also provide privacy and
authenticity on this path, it is not so important, yet. And trying to do
this requires solutions for a random recursive resolver to figure out
how to trust a random authoritative server's certificate.
I don't see an immediate need for DoT support in NSD (or any
authoritative server). As far as I remember, there are also no plans in
NSD for this, but I'm sure the developers will correct me if I'm wrong.
Regards,
Anand
On 15/03/2019 09:44, Fredrik Pettai wrote:
> Hi,
>
> I saw this some time ago and then forgot about it...
>
> https://code.fb.com/security/dns-over-tls/
>
> Is this something that NSD is considering supporting (enable DoT on the
> auth side)?
>
> I've been away from the various DNS working groups & forums for some
> time now, so I don't know how this was received by the various groups?
> Generally positive, negative or neutral?
>
> Re,
>
> /P
>
>
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/nsd-users
>
More information about the nsd-users
mailing list