Hi,
I saw this some time ago and then forgot about it...
https://code.fb.com/security/dns-over-tls/
Is this something that NSD is considering supporting (enable DoT on the
auth side)?
I've been away from the various DNS working groups & forums for some
time now, so I don't know how this was received by the various groups?
Generally positive, negative or neutral?
Re,
/P
Hi Fredrik,
DoT is most useful between stub resolvers and their upstream recursive
resolvers, because this is the path that is most often snooped and
mangled by men-in-the-middle.
NSD is an authoritative DNS server, so its clients are going to be
regular recursive resolvers. While DoT would also provide privacy and
authenticity on this path, it is not so important, yet. And trying to do
this requires solutions for a random recursive resolver to figure out
how to trust a random authoritative server's certificate.
I don't see an immediate need for DoT support in NSD (or any
authoritative server). As far as I remember, there are also no plans in
NSD for this, but I'm sure the developers will correct me if I'm wrong.
Regards,
Anand
it's correct. DoT between resolver and authoritative DNS servers is not finally specified.
But there is desire to use similar technology.
Attached a patch that enable TLS support in unbound. I'm currently unsure about the author (not my self)
Maybe the maintainer like to give that patch a chance.
Andreas
nsd-tls-4.1.26.patch (38.8 KB)
s/unbound/nsd/ of course ...
It is Sara Dickinson's (Sinodun), see:
Thanks, that's useful!
NLnetLabs: Any plans to integrate this patch into nsd's sources ?
Thx,
/P
Hi Fredrik, all,
Hi Benno, all,
Hi Fredrik, all,
DoT is most useful between stub resolvers and their upstream recursive
resolvers, because this is the path that is most often snooped and
mangled by men-in-the-middle.it's correct. DoT between resolver and authoritative DNS servers is not finally specified.
But there is desire to use similar technology.Attached a patch that enable TLS support in unbound. I'm currently unsure about the author (not my self)
It is Sara Dickinson's (Sinodun), see:
Thanks, that's useful!
NLnetLabs: Any plans to integrate this patch into nsd's sources ?
We are planning to integrate the patch into NSD, not in the upcoming release (release candidate has just been announced) but in the next forthcoming release of NSD.
Thanks!
Another reason why I asked, was that thought of zone transfer, and later
found this:
https://mailarchive.ietf.org/arch/msg/dns-privacy/LvhxSnm9SDnD2PxV8RK4O5eF7Eo
But AFAICT there is basically no support for DoT on the auth side,
especially from the major (open source) auth DNS vendors (btw. thanks
for sharing the patch & pointers!)
I also noted that there is an IETF-draft produced about this topic too:
https://tools.ietf.org/html/draft-hzpa-dprive-xfr-over-tls-01
Is anybody following that work, and how was this received? (Especially
among the big auth dns vendors.)
For the future, we see different solutions to support DoT, such as DoT in the NSD server (as with the above patches), using a DNS load balancer (layer 4, direct server return) and reverse DNS proxy (layer 7, similar to nginx). For the last two solutions, we are open to feedback and comments.
So, what's the rationale behind that direction ?
I'm guessing DoT is looked at as an interim solution until the IETF
"QUIC" work is finalized?
/P