I found this RFC https://www.rfc-editor.org/info/rfc9076 pretty
interesting as it covers all topics related to DNS privacy, including
the need to prepare for quantum-resistant algorithms and encrypting DNS
traffic ... I guess the author is not only referring to resolver traffic
that should use DoT instead of plaintext UDP/53 , but also zone
transfers over the Internet encrypted with TLS (thus the reference to
certificates).
-Carlos
On 27/01/2025 14:02, Carlos Horowicz via bind-users wrote:
IMHO this has nothing to do with DNSSEC, it sounds more like the urge
to encrypt resolver traffic (I guess they're referring to DoT)
On 27/01/2025 13:55, Marc wrote:
FYI - EO 14144 has the following provision related to encrypting DNS:
(c) Encrypting Domain Name System (DNS) traffic in transit is a
critical
step to protecting both the confidentiality of the information being
transmitted to, and the integrity of the communication with, the DNS
resolver.
(i) Within 90 days of the date of this order, the Secretary of
Homeland Security, acting through the Director of CISA, shall publish
template contract language requiring that any product that acts as a
DNS
resolver (whether client or server) for the Federal Government support
encrypted DNS and shall recommend that language to the FAR Council.
Within 120 days of receiving the recommended language, the FAR Council
shall review it, and, as appropriate and consistent with applicable
law,
the agency members of the FAR Council shall jointly take steps to amend
the FAR. (ii) Within 180 days of the date of this order, FCEB agencies
shall enable encrypted DNS protocols wherever their existing clients
and
servers support those protocols. FCEB agencies shall also enable such
protocols within 180 days of any additional clients and servers
supporting such protocols.
....
Disclaimer, not really an dns expert
What is this referring to DNSSEC? Afaik is just signing traffic not?
What is the point of encrypting data with the current implementation
of certificates. Even google does not trust CA's with it's
certificate pinning.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
