Why DNS are still travelling in clear text? The software running the DNS services worldwide are probably written in C or any languages you mentioned below.
Why don't they just strap a libressl on DNS or NanoSSL? Okay, there is DNS over https. I don't know the stats, but I doubt it's close to 100% adoption worldwide. I don't understand what is the issue about SSL, zero trust has anything to do about collecting flows. Do I need ssl to run shell commands in my terminal to read flows? Not really. Do I need to strap ssl on grep, notepad and excel? I'm not sure how could one do that. When you see the flows of your customers, you have access to how many times did they use Netflix, facebook and anything you could think of because these people are querying DNS to reach these... in clear text. They are also hitting servers that are well known. I would worry more about who is reading the flows of my business' customers than these flows being not protected by SSL. They are anyway in a highly secure environment with zero trust. So if you don't like elastiflow or any software that are not being protected by SSL, then maybe switch off your computer. Protonmail won't help you to keep your digital life secure. This email was sent by a secure infrastructure using TLS 1.2 and clear text dns. Thank you Jean -----Original Message----- From: NANOG <nanog-bounces+jean=ddostest...@nanog.org> On Behalf Of Laura Smith via NANOG Sent: January 28, 2022 5:15 AM To: Mel Beckman <m...@beckman.org> Cc: nanog@nanog.org list <nanog@nanog.org> Subject: Re: [EXTERNAL] Re: Flow collection and analysis ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, January 28th, 2022 at 03:55, Mel Beckman <m...@beckman.org> wrote: > But nobody asked for anything from scratch Eric. Open SSL is it complete > ready to integrate package. Any developer worth his salt should be able to > put it on any web application. In addition to OpenSSL, there are very compact > commercial SSL libraries such as Mocana NanoSSL and wolfSSL, if you want to > really simplify the process. > Yup. Every single modern programming language out there has a crypto library. The high-level languages (e.g. Go) have crypto built into the standard library. The low-level languages (e.g C or Rust) all have at least one or more well supported third party crypto libraries (e.g. for C there's OpenSSL, GnuTLS, LibreSSL, Boring SSL, Mbed TLS ... and those are the ones that I can think of off the top of my head). There's no need to do any crypto "from scratch", and indeed you SHOULD NOT.
