On 08.10.2017 23:05, Santiago R.R. wrote:
I would also suggest to use DNS-over-TLS, so (exit) relays could be able to encrypt their queries to a privacy-aware DNS resolver [...]
I like SSL for the resulting cost increase in listening to a connection. However, the Unbound documentation states:
ssl-upstream: <yes or no> Enabled (sic) or disable whether the upstream queries use SSL only for transport. Default is no. Useful in tunneling scenarios.
Do you have any data on the percentage of queries that fail with SSL *only* because upstream nameservers don't support SSL? I imagine the majority of servers don't support it (my own authoritative nameservers among them).
Also, manually adding forward-zone entries implies trusting specific servers beyond the regular root zone servers, which rubs me the wrong way.
-Ralph