From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [Fwd: Re: request for info: unbound via https / tls] Date: Mon, 10 Dec 2018 00:21:03 +0000 Message-ID: In-Reply-To: <1a6da97b7616f5d73650ad6ed6f89a2cc8d2775c.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1787252256225641779==" List-Id: --===============1787252256225641779== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 5 Dec 2018, at 07:35, ummeegge wrote: >=20 > Hello Peter, > and thanks for your response. >=20 > Am Dienstag, den 04.12.2018, 17:19 +0100 schrieb Peter M=C3=BCller: >> I am pretty sure there is still huge interest in adding DoT support >> to >> IPFire - in my point of view, yesterdays telephone conference showed >> this again. >>=20 > Good to here. Wanted to be part of the last conference but my jobsite > have had other plans. >=20 >> Our problem seems to be a lack of coordination: You are developing >> pretty much (OpenSSL 1.1.1 comes to my mind), which is simply great. > I do not really see a lack of coordination here or are somebody else > working on DoT currently ?=20 > OpenSSL-1.1.1 might be a good/important > addition to DoT -->=20 >=20 > https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-02 > --> https://blog.cloudflare.com/encrypted-sni/ which brings also some=20 > other interesting side affects -->=20 > https://www.dnsthingy.com/2018/10/encrypted-sni-death-blow-to-transparent-f= iltering/=20 > ... >=20 >> I can only speak for myself here, but do not have any overview about >> what these are in detail. :-) >>=20 > Not 100% sure what you mean, are you mean an overview of other projects > which i am currently working one ? >=20 >=20 >> Maybe joining a telco might help (nudge, nudge). :-) >>=20 > I hear you :D . > Looking forward for more_action/more_people or in general for more > response/help in this topic. I am not sure what you are looking for. But I just wanted to say that I am fo= llowing this conversation. So far I think that there are indeed many people interested in DoT. However, = I have not received any feedback on what I was mailing before. I think what is best now is to get this into small patches. What needs to be = done to get this UI ready so that people can add those DNS servers? What will= the default behaviour be? How will we make sure that the system does not fal= l back (to unauthenticated DNS)? I think that we can leave OpenSSL 1.1.1 aside for this for now, because it wo= rks perfectly fine with TLS 1.2. We should not mix multiple things together w= hen they have no strict dependency (although I am really looking forward to s= ee TLS 1.3 in IPFire soon). Best, -Michael > Best, >=20 > Erik >=20 --===============1787252256225641779==--