[nsd-users] DoT on the Auth side?

Benno Overeinder benno at NLnetLabs.nl
Wed Mar 20 13:08:50 UTC 2019

Hi Fredrik, all,

> On 18 Mar 2019, at 12:19, Fredrik Pettai <pettai at sunet.se> wrote:
> On 19/03/15 14:05, Willem Toorop wrote:
>> On 15-03-19 13:29, A. Schulze wrote:
>>> Am 15.03.19 um 11:10 schrieb Anand Buddhdev:
>>>> DoT is most useful between stub resolvers and their upstream recursive
>>>> resolvers, because this is the path that is most often snooped and
>>>> mangled by men-in-the-middle.
>>> it's correct. DoT between resolver and authoritative DNS servers is not finally specified.
>>> But there is desire to use similar technology.
>>> Attached a patch that enable TLS support in unbound. I'm currently unsure about the author (not my self)
>> It is Sara Dickinson's (Sinodun), see:
>> 	https://portal.sinodun.com/stash/projects/TDNS/repos/dns-over-tls_patches/browse/nsd-4.1.0_dns-over-tls.patch
> Thanks, that's useful!
> NLnetLabs: Any plans to integrate this patch into nsd's sources ?

We are planning to integrate the patch into NSD, not in the upcoming release (release candidate has just been announced) but in the next forthcoming release of NSD.

For the future, we see different solutions to support DoT, such as DoT in the NSD server (as with the above patches), using a DNS load balancer (layer 4, direct server return) and reverse DNS proxy (layer 7, similar to nginx).  For the last two solutions, we are open to feedback and comments.


— Benno

Benno J. Overeinder
NLnet Labs

More information about the nsd-users mailing list