El 09/10/17 a las 09:32, Ralph Seichter escribió: > On 08.10.2017 23:05, Santiago R.R. wrote: > > > I would also suggest to use DNS-over-TLS, so (exit) relays could be > > able to encrypt their queries to a privacy-aware DNS resolver [...] > > I like SSL for the resulting cost increase in listening to a connection.
AFAIU, some recursive implementations already support TCP fast open (RFC7413) to reduce the cost of opening a connection. They also pipeline to send multiple queries over a single TCP connection. > However, the Unbound documentation states: > > ssl-upstream: <yes or no> Enabled (sic) or disable whether the > upstream queries use SSL only for transport. Default is no. Useful > in tunneling scenarios. > > Do you have any data on the percentage of queries that fail with SSL > *only* because upstream nameservers don't support SSL? I imagine the > majority of servers don't support it (my own authoritative nameservers > among them). No, I don't. And I suppose you're right, the majority of upstream nameservers don't support it. Related RFCs are quite recent, so it's not surprising. My stubby resolver works well, and I don't realize about issues querying external domains. > Also, manually adding forward-zone entries implies trusting specific > servers beyond the regular root zone servers, which rubs me the wrong > way. Yes, indeed. I trust the people running the relays I listed. And there is also DNSSEC, where available. -- Santiago _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
