On Thu, 2 Jul 2015, Daniel Kahn Gillmor wrote:
On Thu 2015-07-02 16:20:30 -0400, Tom Ritter wrote:
As an idea: some months ago dkg looked at hooking up unbound to an
upstream resolver over TCP/TLS. It works, but it isn't ideal right
now. Our findings:
Yes. That support to allow only tcp for upstream querying was added
specifically at my request to beter support tor.
B) client doesn't appear to even try to validate the certificate
this is https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658
Yes because the TLS feature was only a port 53 circumvention technique,
not a real TLS support feature.
C) client doesn't hold open connections, but rather does one query per
connection. This is a tremendous amount of overhead.
Yes, this is the biggest problem, especially in combination with
dnssec-trigger when it falls back to upstream tcp 80 or ssl443. Too many
timeouts for a full recursing server.
I hope to work on these issues during the hackathon.
Cool!
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
