Hi Ian, > On 7 Apr 2018, at 08:05, Ian Maddison <[email protected]> wrote: > > Hi Benno, > > On Sat, 7 Apr 2018, at 01:35, Benno Overeinder wrote: >> >> >> All solutions above are stable performant DNS-over-TLS implementations. >> The open-source developers of all DNS resolvers mentioned above are >> actively engaged and work closely together to secure interoperability. > > Do they support rfc7828 EDNS0 keepalive and provide out of order responses ? >
Fair point. In the server implementation table https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status the ticks with RFC7828 EDNS0 keep alive and OOP in the “context” of TCP/TLS features are currently BIND only. But to put things in perspective, we have now a colourful bag of caching resolvers/forwarders, with or without reverse proxies (e.g., NGINX, HAProxy or dnsdist) that can be used in various setups to run a DNS-over-TLS service. I very much appreciate your operational perspective on the DNS-over-TLS implementations, either providing them to customers (running the servers) or how you would like to see these services made available (from a client perspective). I hope to continue this discussion with you and other network engineers/operators. To end in a positive swing, there is a lot of energy with the open-source DNS software developers and we are close to put the final ticks in the implementation table. Unbound will do so in one of the next releases, Knot resolver made good progress in the past period, BIND developers are implementing DNS-over-TLS natively, and the PowerDNS developers support DNS-over-TLS in their product range. Cheers, — Benno -- Benno J. Overeinder NLnet Labs https://www.nlnetlabs.nl/ _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
