[getdns-api] STARTTLS in GetDNS

Paul Hoffman paul.hoffman at vpnc.org
Tue Jul 1 07:56:31 MST 2014

On Jul 1, 2014, at 6:48 AM, John Dickinson <jad at sinodun.com> wrote:

> We chatted about this briefly at ICANN and you asked me to remind you with an email.
> draft-hzhwm-start-tls-for-dns-00 defines a starttls encryption method for DNS. I consider it to be hop by hop opportunistic encryption. According to my brief reading of draft-hoffman-uta-opportunistic-tls-00 opportunistic  means "An application supports opportunistic encryption using TLS if the application attempts to perform TLS negotiation without the user who is running the application knowing whether or not TLS is in use.”
> So if I were to add STARTTLS to GetDNS should it be done in the context or in an extension?

This should probably wait for the results of whatever the DNSOP WG wants to do about DNS privacy. One proposal is DNS-over-DTLS, another is DNS-over-TLS, and another is DNS-over-somethingelse.

--Paul Hoffman

More information about the getdns-api mailing list