From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [Fwd: Re: request for info: unbound via https / tls] Date: Thu, 13 Dec 2018 16:26:20 +0000 Message-ID: In-Reply-To: <9a4143e8cc1adb0ef9bba22a540e325678a3d4e5.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6874013128534913930==" List-Id: --===============6874013128534913930== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 13 Dec 2018, at 06:52, ummeegge wrote: >=20 > Hi all, > a little update to this comment >=20 > Am Mittwoch, den 12.12.2018, 18:44 +0100 schrieb ummeegge: >>=20 >> As a beneath one, Cloudflair offers TLS1.3 support since a couple of >> days/weeks now. >>=20 >=20 > have tested now a couple of DoT servers and wanted to update some infos > causing encryption but also sorted by speed: >=20 > *.quad9.net (TLS1.2)-(ECDHE-SECP256R1)-(ECD= SA-SHA512)-(AES-256-GCM) > 9.9.9.10 in 12.4 ms >=20 > *.quad9.net (TLS1.2)-(ECDHE-SECP256R1)-(ECD= SA-SHA512)-(AES-256-GCM) > 9.9.9.9 in 18.7 ms >=20 > rec1.dns.lightningwirelabs.com (TLS1.2)-(ECDHE-X25519)-(ECDSA-= SHA512)-(CHACHA20-POLY1305) > 81.3.27.54 in 24.9 ms >=20 > *.tenta.io (TLS1.2)-(ECDHE-SECP521R1)-(ECD= SA-SHA256)-(CHACHA20-POLY1305) > 99.192.182.200 in 28.7 ms >=20 > kaitain.restena.lu (TLS1.2)-(ECDHE-SECP256R1)-(RSA= -SHA512)-(AES-256-GCM) > 158.64.1.29 in 29.6 ms >=20 > dnsovertls2.sinodun.com (TLS1.2)-(ECDHE-SECP256R1)-(RSA= -SHA256)-(AES-256-GCM) > 145.100.185.17 in 45.1 ms =20 >=20 > *.cloudflare-dns.com (TLS1.3)-(ECDHE-SECP256R1)-(ECD= SA-SECP256R1-SHA256)-(AES-256-GCM) > 1.0.0.1 in 46.1 ms >=20 > *.cloudflare-dns.com (TLS1.3)-(ECDHE-SECP256R1)-(ECD= SA-SECP256R1-SHA256)-(AES-256-GCM) > 1.1.1.1 in 47.8 ms >=20 > dot-de.blahdns.com (TLS1.3)-(ECDHE-SECP256R1)-(RSA= -PSS-RSAE-SHA256)-(AES-256-GCM) > 159.69.198.101 in 61.1 ms >=20 > dns.neutopia.org (TLS1.2)-(ECDHE-SECP256R1)-(RSA= -SHA256)-(AES-256-GCM) > 89.234.186.112 in 62.2 ms >=20 > securedns.eu (TLS1.3)-(ECDHE-SECP256R1)-(RSA= -PSS-RSAE-SHA256)-(AES-256-GCM) > 146.185.167.43, 146.185.167.43 > in 72.8 ms in 75.1 ms >=20 > getdnsapi.net (TLS1.2)-(ECDHE-SECP256R1)-(RSA= -SHA256)-(AES-256-GCM) > 185.49.141.37 in 88.4 ms >=20 > dnsovertls3.sinodun.com (TLS1.3)-(ECDHE-SECP256R1)-(RSA= -PSS-RSAE-SHA256)-(AES-256-GCM) > 145.100.185.18 in 91.2 ms >=20 > dns.cmrg.net (TLS1.2)-(ECDHE-SECP256R1)-(RSA= -SHA256)-(AES-256-GCM) > 199.58.81.218 in 100.8 ms >=20 >=20 >=20 > Lightningwirelabs is really pretty fast (@Michael, did you changed to curve= 25519 ? seems to be some ms faster)=20 > but also TLS1.3 seems to become more common as i thought. This is the default cipher list of the OpenSSL version that is shipped with I= PFire. We kind of prefer Curve25519 but not only for performance reasons. Mai= nly because it is free of any NSA cryptography. But cool to see that this is actually quite slow. I suppose that it is crucia= l to use a permanent connection or TFO might help, too. We are only fast because we might have the result cached and our hoster has a= ctually really good peering to many locations. So, although you are travellin= g through half the country, it is not very far away from you on the Internet. This will probably be super slow from America or somewhere further away becau= se of the long TCP handshake. Interesting too how we are standing out with our crypto :) -Michael >=20 > Best, >=20 > Erik=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 --===============6874013128534913930==--