[dns-operations] DNS-over-TLS in public resolvers

Phillip Hallam-Baker phill at hallambaker.com
Sun Mar 5 16:01:28 UTC 2017

On Tue, Feb 28, 2017 at 4:21 PM, Paul Hoffman <phoffman at proper.com> wrote:

> On 28 Feb 2017, at 11:35, Stephane Bortzmeyer wrote:
>> So, which public resolvers have DNS-over-TLS? Cisco OpenDNS uses the
>> non-standard DNScrypt and, for the others (Google, Verisign,
>> Yandex...), I find nothing. Isn't it time to push them to add this
>> feature?
> Another way to ask is: how can we encourage some/many of the public
> resolvers to do so? Is there someone on this list from the part of Verisign
> that runs or from Comodo It could look very
> forward-looking of a public resolver to do this, for example.

There are two issues, both of which I brought up at the start of DPRIV:

1) Must be supported by browsers.
2) Protocol MUST be entirely state free

If you want a protocol to be deployed, you need to solicit input from the
people who you need for deployment and take notice of it. DNS over anything
TCP is not going to measure up.

At this point TCP Fast start is irrelevant as well. I can't see that
gaining widespread deployment with QUIC in the works.

If we were to deploy a standards based scheme, it would probably need to be
DNS over QUIC.

​Another problem the IETF suffers from at the moment is that a proposal
that is small enough to be acceptable for IETF process is often smaller
than the minimum deployable feature size.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170305/11279753/attachment.html>

More information about the dns-operations mailing list