From mboxrd@z Thu Jan  1 00:00:00 1970
From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [Fwd: Re: request for info: unbound via https / tls]
Date: Thu, 13 Dec 2018 07:52:57 +0100
Message-ID: <9a4143e8cc1adb0ef9bba22a540e325678a3d4e5.camel@ipfire.org>
In-Reply-To: <c0610d61e7dd43d8f623fb08c1b9f916cacec308.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1101493994988824285=="
List-Id: <development.lists.ipfire.org>

--===============1101493994988824285==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi all,
a little update to this comment

Am Mittwoch, den 12.12.2018, 18:44 +0100 schrieb ummeegge:
>=20
> As a beneath one, Cloudflair offers TLS1.3 support since a couple of
> days/weeks now.
>=20

have tested now a couple of DoT servers and wanted to update some infos
causing encryption but also sorted by speed:

*.quad9.net                                 (TLS1.2)-(ECDHE-SECP256R1)-(ECDSA=
-SHA512)-(AES-256-GCM)
9.9.9.10        in 12.4 ms

*.quad9.net                                 (TLS1.2)-(ECDHE-SECP256R1)-(ECDSA=
-SHA512)-(AES-256-GCM)
9.9.9.9         in 18.7 ms

rec1.dns.lightningwirelabs.com              (TLS1.2)-(ECDHE-X25519)-(ECDSA-SH=
A512)-(CHACHA20-POLY1305)
81.3.27.54      in 24.9 ms

*.tenta.io                                  (TLS1.2)-(ECDHE-SECP521R1)-(ECDSA=
-SHA256)-(CHACHA20-POLY1305)
99.192.182.200  in 28.7 ms

kaitain.restena.lu                          (TLS1.2)-(ECDHE-SECP256R1)-(RSA-S=
HA512)-(AES-256-GCM)
158.64.1.29     in 29.6 ms

dnsovertls2.sinodun.com                     (TLS1.2)-(ECDHE-SECP256R1)-(RSA-S=
HA256)-(AES-256-GCM)
145.100.185.17  in 45.1 ms     =20

*.cloudflare-dns.com                        (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA=
-SECP256R1-SHA256)-(AES-256-GCM)
1.0.0.1         in 46.1 ms

*.cloudflare-dns.com                        (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA=
-SECP256R1-SHA256)-(AES-256-GCM)
1.1.1.1         in 47.8 ms

dot-de.blahdns.com                          (TLS1.3)-(ECDHE-SECP256R1)-(RSA-P=
SS-RSAE-SHA256)-(AES-256-GCM)
159.69.198.101  in 61.1 ms

dns.neutopia.org                            (TLS1.2)-(ECDHE-SECP256R1)-(RSA-S=
HA256)-(AES-256-GCM)
89.234.186.112  in 62.2 ms

securedns.eu                                (TLS1.3)-(ECDHE-SECP256R1)-(RSA-P=
SS-RSAE-SHA256)-(AES-256-GCM)
146.185.167.43, 146.185.167.43
in 72.8 ms      in 75.1 ms

getdnsapi.net                               (TLS1.2)-(ECDHE-SECP256R1)-(RSA-S=
HA256)-(AES-256-GCM)
185.49.141.37   in 88.4 ms

dnsovertls3.sinodun.com                     (TLS1.3)-(ECDHE-SECP256R1)-(RSA-P=
SS-RSAE-SHA256)-(AES-256-GCM)
145.100.185.18  in 91.2 ms

dns.cmrg.net                                (TLS1.2)-(ECDHE-SECP256R1)-(RSA-S=
HA256)-(AES-256-GCM)
199.58.81.218   in 100.8 ms



Lightningwirelabs is really pretty fast (@Michael, did you changed to curve25=
519 ? seems to be some ms faster)=20
but also TLS1.3 seems to become more common as i thought.

Best,

Erik=20










--===============1101493994988824285==--