[dns-operations] Introducing DNSCrypt
Rubens Kuhl
rubensk at nic.br
Tue Dec 6 20:17:32 UTC 2011
On Dec 6, 2011, at 3:01 PM, Stephane Bortzmeyer wrote:
> On Tue, Dec 06, 2011 at 02:26:55PM -0200,
> Rubens Kuhl <rubensk at nic.br> wrote
> a message of 107 lines which said:
>
>> IPSEC
>
> IPsec is clearly not deployed. There are many reasons for that but one
> of the most important seem to be the difficulty to distribute
> keys. Relying on IPsec to secure DNS is not realistic.
The L2TP+IPSEC remote access with Windows Server CA thru IIS seems to survive quite well to both administrator and user limitations… one probably doesn't change DNS recursor that often.
(Note: Windows L2TP is just an example of underlying IPSEC usage, not a suggestion to use L2TP to tunnel DNS)
>
>> SSL
>
> You mean DTLS (the old SSL protocol requires TCP)? It is not widely
> deployed yet but seems an interesting approach.
>
>
DTLS would be better indeed.
Rubens
More information about the dns-operations
mailing list