As a belated note, the BIND distribution used to include instructions (in /dnspriv) for putting nginx in front of the nameserver to implement DoT. Anecdotally, many people I talked to seemed to have no understanding or awareness just how simple this implementation is / was.[0] We need better implementations of things like this: https://github.com/m3047/tcp_only_forwarder
I don't think everything on the planet needs to support encryption out of the box if composable components are available. That just bakes in a potential supply chain compromise everywhere, all at once, as was demonstrated with the SSL + systemd xz compromise recently (https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/) We need to build awareness of easy to use security practica. -- Fred Morris [0] I've got the directory mirrored because I still encounter people who don't understand the concept: https://athena.m3047.net/pub/bind/dnspriv/ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
