Hi, pardon the topquote. I think you can find the answers you're looking for here:
https://www.rfc-editor.org/rfc/rfc9325 I believe this consensus is generally that TLS 1.3 is easier to configure securely, but you can still get good security properties out of TLS 1.2 if configured correctly (and it is fussy). thanks, Rob On Sun, Dec 15, 2024 at 10:49 AM Luca vom Bruch <luca= 40vom-bruch....@dmarc.ietf.org> wrote: > Hello, > > > > I am new to this. I hope I may ask this question regarding TLS encrypted > communication between nameservers, for proposed RFC 9539 > > > > Will the ciphers be specified? > > > > In practical terms I currently enabled this for DoT on port 853 in > BIND9.18: > > > > protocols { TLSv1.2; TLSv1.3; }; > > ciphers > "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256"; > > prefer-server-ciphers yes; > > > > Or will it be TLS 1.3 only? > > > > There seems to be a consensus that 1.0,1.1 is outdated, and 1.3 seems well > regarded as of 2024 and doesn’t have any discussions about the ciphers. > > For 1.2 there is some debate about possibly unsafe ones. > > > > I don’t know if the situation compares to the HTTPS world, or it is less > or more relevant for DNS. > > > > Kind regards, > > Luca > > > > > _______________________________________________ > dns-privacy mailing list -- dns-privacy@ietf.org > To unsubscribe send an email to dns-privacy-le...@ietf.org >
_______________________________________________ dns-privacy mailing list -- dns-privacy@ietf.org To unsubscribe send an email to dns-privacy-le...@ietf.org
