Hi Ian,

> On 7 Apr 2018, at 08:05, Ian Maddison <ian@mad.paris> wrote:
> Hi Benno,
> On Sat, 7 Apr 2018, at 01:35, Benno Overeinder wrote:
>> All solutions above are stable performant DNS-over-TLS implementations.
>> The open-source developers of all DNS resolvers mentioned above are
>> actively engaged and work closely together to secure interoperability.
> Do they support rfc7828 EDNS0 keepalive and provide out of order responses ?

Fair point.  

In the server implementation table 
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status the 
ticks with RFC7828 EDNS0 keep alive and OOP in the “context” of TCP/TLS 
features are currently BIND only. 

But to put things in perspective, we have now a colourful bag of caching 
resolvers/forwarders, with or without reverse proxies (e.g., NGINX, HAProxy or 
dnsdist) that can be used in various setups to run a DNS-over-TLS service.  I 
very much appreciate your operational perspective on the DNS-over-TLS 
implementations, either providing them to customers (running the servers) or 
how you would like to see these services made available (from a client 
perspective).  I hope to continue this discussion with you and other network 

To end in a positive swing, there is a lot of energy with the open-source DNS 
software developers and we are close to put the final ticks in the 
implementation table.  Unbound will do so in one of the next releases, Knot 
resolver made good progress in the past period, BIND developers are 
implementing DNS-over-TLS natively, and the PowerDNS developers support 
DNS-over-TLS in their product range.


— Benno

Benno J. Overeinder
NLnet Labs

dns-privacy mailing list

Reply via email to