Excellent idea! Looking forward to help out with this! I will discuss with Wouter (what he thinks about this and how he would take it on), but also Sara is deep into Unbound code, especially with respect to transports!
-- Willem Op 02-07-15 om 22:36 schreef Daniel Kahn Gillmor: > On Thu 2015-07-02 16:20:30 -0400, Tom Ritter wrote: >> As an idea: some months ago dkg looked at hooking up unbound to an >> upstream resolver over TCP/TLS. It works, but it isn't ideal right >> now. Our findings: >> >> A) client and server together negotiate TLS 1.2 (that's good!) >> >> B) client doesn't appear to even try to validate the certificate > > this is https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658 > >> C) client doesn't hold open connections, but rather does one query per >> connection. This is a tremendous amount of overhead. >> >> D) server selects TLS_RSA_WITH_AES_256_GCM_SHA384 even though >> client preferred TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 or >> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. >> >> E) server offers a TLS session ticket each time, and >> client is not re-using the session ticket (or any other abbreviated >> handshake mechanism) that i can tell. > > I hope to work on these issues during the hackathon. > > --dkg > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
