DoT and UDP requirements

Havard Eidnes he at uninett.no
Wed Jul 24 11:48:55 UTC 2019


> Having setup DoT and got it all working, I was under the impression
> that all DNS queries would now use TLS over TCP.

Where?  Between your client and your unbound recursor (where you have
control and can enable DNS-over-TLS-over-TCP), or outwards from your
unbound recursor to the rest of the net?  For the latter to work, each
and every publishing name server out there would have to have deployed
DNS-over-TLS-over-TCP.  To put it mildly, "we're not there yet", and
I'm doubtful we ever will be.

Even if you dropped "TLS", and only wanted to do TCP, I think that
would also work poorly, since still too many publishing name servers
either don't do DNS-over-TCP or there are firewalls on the path which
prohibit it from working.

Regards,

- Håvard



More information about the Unbound-users mailing list