-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul,
On 01/18/2012 06:35 PM, Paul Vixie wrote: > On 1/18/2012 3:41 PM, Paul Wouters wrote: >> >> The latest unbound supports DNS over (real) HTTPS. >> >> See unbound.conf man page options "ssl-port", "ssl-service-key" and >> "ssl-service-pem". >> >> You can test it against the nlnetlabs resolver (I believe >> open.nlnletlabs.nl ?) > > this sounds very cool; is there an internet draft or tech note > describing the protocol so that others may also implement this? It exists to bypass deep inspection firewalls, and it works. The plain DNS format as you would use over TCP, but then on an SSL connection, so its encrypted by SSLv3. Uses port number 443 (the https port, no other use of that protocol, but then, because of SSL the firewall should not be able to tell). The SSL-certificates are there to make the SSL connection look legit to the firewall. The DNSSEC inside the DNS wireformat provides authentication. There could be a technote or draft for it, but really: TCP-style-DNS inside SSL for transport. That should tell enough for an implementation? Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPFxhOAAoJEJ9vHC1+BF+Not8P/3jqeNwZ4D0uZPkTCcPFtRTu A/Zjq9h3Pgog1U/BqLQRjh4bl3xJQbSHh7fYjSMjJQKqjkR/LEM7nMXoPiCx26VW UFoRXDyZNfIYUguQvpnF56++D2gqarAOxFbiA3Ss5k4jh5wYWfq9bpmzymPNbqjn +fSCgYJoJNC0MkqHcoNz+UA7ARa41GXnA5+YIsVN72fLVbSKL5iHRvBsJryWdu6S RDr484/RKXt8VrXBcybrOd1y77MXJ47jU08CA2KL2NFfuvRxZKFf7GCi4Lt8O4yE FkEykU3efP8Isk96DrwOpkdn3pyIF4auvfULKB+36YlzXVb3jRosYhEcABFc54S2 4T6rFa0xdt+xL2MSZaJg4pxSH5RfGbLt0AXLFfYKhhpYvQJ+3sPH9fhwaW8oBWGT SD7K2uDX05Tqo4isWqFg2HF0hnHN67PIhu+PYAo9RvzwviHAJxvqaxZIkT5TlJ4b AweQ2CfPqUYQwffeVvEudSwE8OfzU5AIy3+w2BINaF+FT4F8tN2GoQdg0mbJwO5I CidzI5LQ8s3YEKQAKb/w7dnRsMVgFQh8zY/Vtzyox9Ykw3d4le/4vyso1Trx0byO CkSRqY5mFZv9K16lGcAJ78G02m/1hPYuW0CNadTE4v1J8HJ+E3Bc5OajbdB551Cd +cNORX0eUdyXhuKPpd8Q =myz7 -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
