Anand Buddhdev <ana...@ripe.net> wrote: > Anand's advice is good, as usual :-)
But a small pedantic point: > The DNS protocol itself has recently been updated to allow for > encryption, using DTLS (DNS-over-TLS). DTLS usually means "datagram TLS", i.e. TLS-over-UDP (RFC 6347). There's a spec for DNS-over-DTLS (RFC 8094) but I have not seen much enthusiasm for deploying it: DTLS combines all the disadvantages of UDP with all the disadvantages of TLS. (Or worse: DTLS has a more complicated state machine than normal TLS so there have been a bunch of DTLS-specific vulnerabilities which makes me very reluctant to deploy it.) There is a lot more enthusiasm for DNS-over-TLS (aka DoT) and DNS-over-HTTPS (aka DoH), and maybe in the future DNS-over-QUIC. But right now, none of these are particularly easy to get working as transports for UPDATE, and as Anand said, it usually isn't necessary. I'm looking forward to zone transfers over TLS, because public key authentication (with client certificates) is a bit easier to deploy between different organizations than TSIG secret key authentication. There's not such a clear benefit for UPDATE-over-TLS where I'm sitting, apart from the neatness of having all authenticated traffic over TLS. Tony. -- f.anthony.n.finch <d...@dotat.at> https://dotat.at/ Bailey: Northeast 5 to 7. Moderate or rough. Showers at first. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users