I didn’t mention this before but since you ask… I wrote a DNS server from scratch as a DNS Hybrid Proxy (DNS-SD). It was UDP only. I wanted to add TLS support so I first added TCP on the Thursday of IETF in about 7 hours (no meetings I was interested in). Then I added TLS support on top of TCP using OpenSSL in about 1 hour. I used Sarah’s LDNS patches to drill to test it and TLS worked great. I should mention that I’m using libevent. I haven’t done any performance testing yet but I have to say it was very easy to modify an existing UDP-only server. Next, I want to add DTLS. Stewart Cheshire and I have a draft out on DNS Push Notifications that provides pub/sub for DNS. It requires TLS. This was my motivation for making my server work over TLS.
Thanks, Tom > On Apr 22, 2015, at 8:43 PM, Watson Ladd <[email protected]> wrote: > > I agree that DNSCurve is the best solution. Many of the proponents of > TLS based solution haven't adequately considered how this affects > anycast, DOS resistance, etc. Confidential-DNS can only be fixed by > essentially becoming DNSCurve. > > It's clear that deployed, working solutions need to be adopted. When > people say it's easy to implement DNS-over-TCP/TLS, and haven't, I > think that's a warning sign. > > Sincerely, > Watson Ladd > > On Wed, Apr 22, 2015 at 7:19 AM, Simon Josefsson <[email protected]> wrote: >> I support adopting 3) draft-hzhwm-dprive-start-tls-for-dns. It may not >> be in shipping shape, but I think it is a worthy path to pursue and can >> be tweaked further along. In particular, I think it would be a good >> idea to consider pushing documents for DNS-over-TCP/TLS and >> DNS-over-UDP/DTLS at the same time, with harmonized authentication >> language. >> >> Re 1 and 2, I don't understand what advantage they would give compared >> to DNS-over-TLS, DNS-over-DTLS, or DNSCurve. I believe a strong >> justification is necessary to motivate adoption. Frankly, I would >> prefer DNSCurve over both 1 and 2. >> >> /Simon >> >> Warren Kumari <[email protected]> writes: >> >>> Hi all, >>> >>> So, the big day has finally arrived -- we are initiating calls for >>> adoption on the three documents. < http://i.imgur.com/SKX3P8J.gif > >>> >>> For *each* of the below documents, please **clearly** state if you >>> would like DPRIVE to adopt it, or if you think that it will be a >>> distraction / not helpful. >>> >>> 1) Confidential DNS: >>> https://datatracker.ietf.org/doc/draft-wijngaards-dnsop-confidentialdns/ >>> >>> 2) Private-DNS: >>> https://datatracker.ietf.org/doc/draft-hallambaker-privatedns/ >>> >>> 3) TLS for DNS: Initiation and Performance Considerations: >>> http://datatracker.ietf.org/doc/draft-hzhwm-dprive-start-tls-for-dns/ >>> >>> >>> This call for adoption will be wrapping up on April 30th. >>> At that point we will decide on one or multiple of the documents.... >>> >>> W >> >> _______________________________________________ >> dns-privacy mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/dns-privacy >> > > > > -- > "Man is born free, but everywhere he is in chains". > --Rousseau. > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
