Hi Fredrik, all,
> On 18 Mar 2019, at 12:19, Fredrik Pettai <pettai at sunet.se> wrote:
>
>
> On 19/03/15 14:05, Willem Toorop wrote:
>> On 15-03-19 13:29, A. Schulze wrote:
>>> Am 15.03.19 um 11:10 schrieb Anand Buddhdev:
>>>> DoT is most useful between stub resolvers and their upstream
recursive
>>>> resolvers, because this is the path that is most often snooped
and
>>>> mangled by men-in-the-middle.
>>> it's correct. DoT between resolver and authoritative DNS
servers is not finally specified.
>>> But there is desire to use similar technology.
>>>
>>> Attached a patch that enable TLS support in unbound. I'm
currently unsure about the author (not my self)
>> It is Sara Dickinson's (Sinodun), see:
>>
>>
https://portal.sinodun.com/stash/projects/TDNS/repos/dns-over-tls_patches/browse/nsd-4.1.0_dns-over-tls.patch
>
> Thanks, that's useful!
>
> NLnetLabs: Any plans to integrate this patch into nsd's sources ?
We are planning to integrate the patch into NSD, not in the upcoming release
(release candidate has just been announced) but in the next forthcoming release
of NSD.
For the future, we see different solutions to support DoT, such as DoT in the
NSD server (as with the above patches), using a DNS load balancer (layer 4,
direct server return) and reverse DNS proxy (layer 7, similar to nginx). For
the last two solutions, we are open to feedback and comments.
Best,
? Benno
--
Benno J. Overeinder
NLnet Labs
https://www.nlnetlabs.nl/