[dns-operations] Detecting DNS hijacking (Was: new public DNS service:

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Nov 21 14:55:27 UTC 2017

On Tue, Nov 21, 2017 at 12:16:48PM +0000,
 Jeremy Harris <jgh at wizmail.org> wrote 
 a message of 17 lines which said:

> Would one, as a client, also need to enforce certificate pinning to
> assure authentication of the you're talking TLS to?

Sure. RFC 7858, section 4. But wait also the future RFC, more
comprehensive about DNS-over-TLS authentication, which is currently in
the RFC Editor queue

At the present time, it seems Quad9 does not publish the keys in an
official way. This is currently being discussed with them.

More information about the dns-operations mailing list