Debian doesn't add ESNI Record into it's Name Server. Check here (ONLINE dig): https://toolbox.googleapps.com/apps/dig/#TXT/
Check these two domains: _esni.debian.org _esni.cloudflare.com On Sun, Sep 15, 2019 at 5:31 AM Paul Wise <p...@debian.org> wrote: > > On Sun, Sep 15, 2019 at 5:48 AM Anthony DeRobertis wrote: > > On 9/13/19 7:05 AM, Simon Richter wrote: > > > > > > Mandatory Encrypted SNI with no fallback option -- everything else can be > > > circumvented easily. > > > > > > This is a game that we should not play, really. It raises the cost of > > > running a service on the Internet so only big players can afford to do so. > > > > Does it? I haven't personally deployed it yet anywhere, but when I > > briefly looked into it, it appears to require adding a DNS record & some > > web server config. If anything, it appears to be harder to do if you're > > a big player (e.g., making sure your DNS servers always return matching > > ESNI and A/AAAA records, even when you have geo-targeted DNS — so much > > easier when you only have one server.) > > Does anyone know if any software in Debian supports ESNI records? > > Looking at the RFC draft, it sounds like adding ESNI records to > debian.org would basically duplicate the DANE records debian.org > already has..... sigh > > https://datatracker.ietf.org/doc/draft-ietf-tls-esni/?include_text=1 > https://serverfault.com/questions/976377/how-can-i-set-up-encrypted-sni-on-my-own-servers > > -- > bye, > pabs > > https://wiki.debian.org/PaulWise >
