DoT and UDP requirements
he at uninett.no
Wed Jul 24 11:48:55 UTC 2019
> Having setup DoT and got it all working, I was under the impression
> that all DNS queries would now use TLS over TCP.
Where? Between your client and your unbound recursor (where you have
control and can enable DNS-over-TLS-over-TCP), or outwards from your
unbound recursor to the rest of the net? For the latter to work, each
and every publishing name server out there would have to have deployed
DNS-over-TLS-over-TCP. To put it mildly, "we're not there yet", and
I'm doubtful we ever will be.
Even if you dropped "TLS", and only wanted to do TCP, I think that
would also work poorly, since still too many publishing name servers
either don't do DNS-over-TCP or there are firewalls on the path which
prohibit it from working.
More information about the Unbound-users