[nsd-users] DoT on the Auth side?

Anand Buddhdev anandb at ripe.net
Fri Mar 15 10:10:48 UTC 2019

Hi Fredrik,

DoT is most useful between stub resolvers and their upstream recursive
resolvers, because this is the path that is most often snooped and
mangled by men-in-the-middle.

NSD is an authoritative DNS server, so its clients are going to be
regular recursive resolvers. While DoT would also provide privacy and
authenticity on this path, it is not so important, yet. And trying to do
this requires solutions for a random recursive resolver to figure out
how to trust a random authoritative server's certificate.

I don't see an immediate need for DoT support in NSD (or any
authoritative server). As far as I remember, there are also no plans in
NSD for this, but I'm sure the developers will correct me if I'm wrong.


On 15/03/2019 09:44, Fredrik Pettai wrote:
> Hi,
> I saw this some time ago and then forgot about it...
> https://code.fb.com/security/dns-over-tls/
> Is this something that NSD is considering supporting (enable DoT on the
> auth side)?
> I've been away from the various DNS working groups & forums for some
> time now, so I don't know how this was received by the various groups?
> Generally positive, negative or neutral?
> Re,
> /P
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/nsd-users

More information about the nsd-users mailing list