As an idea: some months ago dkg looked at hooking up unbound to an upstream resolver over TCP/TLS. It works, but it isn't ideal right now. Our findings:
A) client and server together negotiate TLS 1.2 (that's good!) B) client doesn't appear to even try to validate the certificate C) client doesn't hold open connections, but rather does one query per connection. This is a tremendous amount of overhead. D) server selects TLS_RSA_WITH_AES_256_GCM_SHA384 even though client preferred TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 or TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. E) server offers a TLS session ticket each time, and client is not re-using the session ticket (or any other abbreviated handshake mechanism) that i can tell. unbound client config: forward-zone: name: "." forward-addr: w.x.y.z@443 server: ssl-upstream: yes tcp-upstream: yes unbound server-config: interface: 0.0.0.0@443 interface: ::0@443 access-control: 0.0.0.0/0 allow ssl-port: 443 ssl-service-pem: /etc/unbound/unbound_server.pem ssl-service-key: /etc/unbound/unbound_server.key -tom On 1 July 2015 at 06:43, Dan York <y...@isoc.org> wrote: > DNSOP participants, > > Will you be in Prague on the weekend before IETF 93? (Or could you get > there?) A number of us will be involved with the hackathon happening on > Saturday and Sunday: > > https://www.ietf.org/registration/MeetingWiki/wiki/93hackathon > > Our intent is to work on some tools/services related to DANE, DNSSEC and/or > DNS privacy - either adding support to existing tools or projects, or > developing something new that is useful in some way (and is not a duplicate > of something else). We don't have specific projects lined up yet (we need > to meet and decide what we're going to do)... but any suggestions are > certainly welcome. > > If you'd like to join for either one or both days, the link to sign up is on > that hackathon page. Here's what we wrote as an abstract: > > DANE / DNS Privacy / DNSSEC > > Contribute to access of end-systems to new developments in DNS > Protocols: DANE support for webmail, DNS-over-TLS (application uses), > DNS-over-DTLS (stack and uses), TLSA client certs, client privacy election > for EDNS client-subnet, getdns language bindings, etc. > Tools: portable tool for creating and adding DANE RR’s to zones, changes to > existing tools to support new crypto algorithms, etc. > Measurement: New tools or sites for measuring DNSSEC or DANE deployment > Available open source libraries: https://github.com/verisign/smaug, > https://github.com/getdnsapi > Available environment, support, and diagnostic tools: > https://dnssec-tools.org, https://www.opendnssec.org > Champions > > Dan York, Internet Society y...@isoc.org > Allison Mankin, Verisign Labs aman...@verisign.com > Willem Toorop, NLnet Labs > Sara Dickinson, Sinodun > Others, TBA > > Anyone is welcome to join with us. The current list of participants is > here: > https://www.ietf.org/registration/ietf93/hackathonattendance.py?sortkey=3&login=%0A > (you can see that some people have listed that they will join in for > DNS-related topics...) > > See (some of) you in Prague, > Dan > > -- > Dan York > Senior Content Strategist, Internet Society > y...@isoc.org +1-802-735-1624 > Jabber: y...@jabber.isoc.org > Skype: danyork http://twitter.com/danyork > > http://www.internetsociety.org/ > > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
