[nsd-users] DoT on the Auth side?

Fredrik Pettai pettai at sunet.se
Thu Mar 21 09:42:50 UTC 2019

Hi Benno, all,

On 19/03/20 14:08, Benno Overeinder wrote:
> Hi Fredrik, all,
>> On 18 Mar 2019, at 12:19, Fredrik Pettai <pettai at sunet.se> wrote:
>> On 19/03/15 14:05, Willem Toorop wrote:
>>> On 15-03-19 13:29, A. Schulze wrote:
>>>> Am 15.03.19 um 11:10 schrieb Anand Buddhdev:
>>>>> DoT is most useful between stub resolvers and their upstream recursive
>>>>> resolvers, because this is the path that is most often snooped and
>>>>> mangled by men-in-the-middle.
>>>> it's correct. DoT between resolver and authoritative DNS servers is not finally specified.
>>>> But there is desire to use similar technology.
>>>> Attached a patch that enable TLS support in unbound. I'm currently unsure about the author (not my self)
>>> It is Sara Dickinson's (Sinodun), see:
>>> 	https://portal.sinodun.com/stash/projects/TDNS/repos/dns-over-tls_patches/browse/nsd-4.1.0_dns-over-tls.patch
>> Thanks, that's useful!
>> NLnetLabs: Any plans to integrate this patch into nsd's sources ?
> We are planning to integrate the patch into NSD, not in the upcoming release (release candidate has just been announced) but in the next forthcoming release of NSD.


Another reason why I asked, was that thought of zone transfer, and later
found this:


But AFAICT there is basically no support for DoT on the auth side,
especially from the major (open source) auth DNS vendors (btw. thanks
for sharing the patch & pointers!)

I also noted that there is an IETF-draft produced about this topic too:


Is anybody following that work, and how was this received? (Especially
among the big auth dns vendors.)

> For the future, we see different solutions to support DoT, such as DoT in the NSD server (as with the above patches), using a DNS load balancer (layer 4, direct server return) and reverse DNS proxy (layer 7, similar to nginx).  For the last two solutions, we are open to feedback and comments.

So, what's the rationale behind that direction ?

I'm guessing DoT is looked at as an interim solution until the IETF
"QUIC" work is finalized?


More information about the nsd-users mailing list