El 09/10/17 a las 09:32, Ralph Seichter escribió:
On 08.10.2017 23:05, Santiago R.R. wrote:
I would also suggest to use DNS-over-TLS, so (exit) relays could be able to encrypt their queries to a privacy-aware DNS resolver [...]
I like SSL for the resulting cost increase in listening to a connection.
AFAIU, some recursive implementations already support TCP fast open (RFC7413) to reduce the cost of opening a connection. They also pipeline to send multiple queries over a single TCP connection.
However, the Unbound documentation states:
ssl-upstream: <yes or no> Enabled (sic) or disable whether the upstream queries use SSL only for transport. Default is no. Useful in tunneling scenarios.
Do you have any data on the percentage of queries that fail with SSL *only* because upstream nameservers don't support SSL? I imagine the majority of servers don't support it (my own authoritative nameservers among them).
No, I don't. And I suppose you're right, the majority of upstream nameservers don't support it. Related RFCs are quite recent, so it's not surprising. My stubby resolver works well, and I don't realize about issues querying external domains.
Also, manually adding forward-zone entries implies trusting specific servers beyond the regular root zone servers, which rubs me the wrong way.
Yes, indeed. I trust the people running the relays I listed.
And there is also DNSSEC, where available.
-- Santiago