[dns-operations] Detecting DNS hijacking (Was: new public DNS service: 9.9.9.9
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Nov 21 14:55:27 UTC 2017
On Tue, Nov 21, 2017 at 12:16:48PM +0000,
Jeremy Harris <jgh at wizmail.org> wrote
a message of 17 lines which said:
> Would one, as a client, also need to enforce certificate pinning to
> assure authentication of the 9.9.9.9 you're talking TLS to?
Sure. RFC 7858, section 4. But wait also the future RFC, more
comprehensive about DNS-over-TLS authentication, which is currently in
the RFC Editor queue
<https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-profiles/>
At the present time, it seems Quad9 does not publish the keys in an
official way. This is currently being discussed with them.
More information about the dns-operations
mailing list