On Thu 2015-07-02 16:20:30 -0400, Tom Ritter wrote: > As an idea: some months ago dkg looked at hooking up unbound to an > upstream resolver over TCP/TLS. It works, but it isn't ideal right > now. Our findings: > > A) client and server together negotiate TLS 1.2 (that's good!) > > B) client doesn't appear to even try to validate the certificate
this is https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658 > C) client doesn't hold open connections, but rather does one query per > connection. This is a tremendous amount of overhead. > > D) server selects TLS_RSA_WITH_AES_256_GCM_SHA384 even though > client preferred TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 or > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. > > E) server offers a TLS session ticket each time, and > client is not re-using the session ticket (or any other abbreviated > handshake mechanism) that i can tell. I hope to work on these issues during the hackathon. --dkg _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
