Hi, pardon the topquote. I think you can find the answers you're looking for here:
https://www.rfc-editor.org/rfc/rfc9325 I believe this consensus is generally that TLS 1.3 is easier to configure securely, but you can still get good security properties out of TLS 1.2 if configured correctly (and it is fussy). thanks, Rob On Sun, Dec 15, 2024 at 10:49 AM Luca vom Bruch <luca= [email protected]> wrote: > Hello, > > > > I am new to this. I hope I may ask this question regarding TLS encrypted > communication between nameservers, for proposed RFC 9539 > > > > Will the ciphers be specified? > > > > In practical terms I currently enabled this for DoT on port 853 in > BIND9.18: > > > > protocols { TLSv1.2; TLSv1.3; }; > > ciphers > "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256"; > > prefer-server-ciphers yes; > > > > Or will it be TLS 1.3 only? > > > > There seems to be a consensus that 1.0,1.1 is outdated, and 1.3 seems well > regarded as of 2024 and doesn’t have any discussions about the ciphers. > > For 1.2 there is some debate about possibly unsafe ones. > > > > I don’t know if the situation compares to the HTTPS world, or it is less > or more relevant for DNS. > > > > Kind regards, > > Luca > > > > > _______________________________________________ > dns-privacy mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ dns-privacy mailing list -- [email protected] To unsubscribe send an email to [email protected]
