Hello,
I am new to this. I hope I may ask this question regarding TLS encrypted
communication between nameservers, for proposed RFC 9539
Will the ciphers be specified?
In practical terms I currently enabled this for DoT on port 853 in BIND9.18:
protocols { TLSv1.2; TLSv1.3; };
ciphers
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256";
prefer-server-ciphers yes;
Or will it be TLS 1.3 only?
There seems to be a consensus that 1.0,1.1 is outdated, and 1.3 seems well
regarded as of 2024 and doesn't have any discussions about the ciphers.
For 1.2 there is some debate about possibly unsafe ones.
I don't know if the situation compares to the HTTPS world, or it is less or
more relevant for DNS.
Kind regards,
Luca
_______________________________________________
dns-privacy mailing list -- [email protected]
To unsubscribe send an email to [email protected]
