On Thu, 27 Dec 2018 at 08:33, Stephane Bortzmeyer <[email protected]> wrote:
> On Fri, Dec 21, 2018 at 06:59:43PM -0800, > manu tman <[email protected]> wrote > a message of 43 lines which said: > > > As some you already know, Cloudflare and Facebook have been running a > pilot > > on using DoT between Cloudflare DNS and Facebook authoritative name > servers. > > You can read more about it at > > https://code.fb.com/security/dns-over-tls/ > > Thanks. Very useful. > > I do not find how the Cloudflare resolver discovers that Facebook > authoritative name servers use DNS-over-TLS, and what are their > keys. Hardwired in the resolver for the experiment? > I think discovery is easy, you just try TCP port 853: for i in $(dig -t NS +short facebook.com | sort); do echo "[ $i ]"; openssl s_client -connect ${i}:853 </dev/null | openssl x509 -text -noout; done shows me that both a&b .ns.facebook.com are listening on 853 and present a cert. The subject for the cert is not especially illuminating, though. I tried sending the resolver name via SNI and got the same cert back. Frankly, SNI + checking the cert is valid for the nameserver hostname seems sufficient to me in the general case.
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
