Patches to unbound by Sara Dickinson (Sinodun) that are part of the DNS-over-TLS aka T-DNS project:
Patches: https://portal.sinodun.com/stash/projects/TDNS/repos/dns-over-tls_patches/browse On Jul 2, 2015 6:09 PM, "Daniel Kahn Gillmor" <d...@fifthhorseman.net> wrote: > On Thu 2015-07-02 16:20:30 -0400, Tom Ritter wrote: > > As an idea: some months ago dkg looked at hooking up unbound to an > > upstream resolver over TCP/TLS. It works, but it isn't ideal right > > now. Our findings: > > > > A) client and server together negotiate TLS 1.2 (that's good!) > > > > B) client doesn't appear to even try to validate the certificate > > this is https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658 > > > C) client doesn't hold open connections, but rather does one query per > > connection. This is a tremendous amount of overhead. > > > > D) server selects TLS_RSA_WITH_AES_256_GCM_SHA384 even though > > client preferred TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 or > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. > > > > E) server offers a TLS session ticket each time, and > > client is not re-using the session ticket (or any other abbreviated > > handshake mechanism) that i can tell. > > I hope to work on these issues during the hackathon. > > --dkg > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
