You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, we configure Encaya to use ncdns's DNS port instead of the recursive (Unbound) DNS port. This is intentional because Unbound can do insecure things, such as following a CNAME to a TLSA record in a way that trusts the ICANN root key, and also because I'm not confident in Unbound's ability to reject insecure crypto such as SHA-1 and short RSA keys. However, this is not an ideal situation, since it also means that secure usage of CNAME and NS+DS (e.g. a CNAME to another .bit domain) is rejected for TLSA records. After we phase out Unbound, we should look into making sure that the replacement recursive resolver can handle Encaya's security requirements properly, and then switch Encaya to use the recursive DNS port.
Thanks to @sowelisuwi for drawing this to my attention.
The text was updated successfully, but these errors were encountered:
Currently, we configure Encaya to use ncdns's DNS port instead of the recursive (Unbound) DNS port. This is intentional because Unbound can do insecure things, such as following a
CNAMEto aTLSArecord in a way that trusts the ICANN root key, and also because I'm not confident in Unbound's ability to reject insecure crypto such as SHA-1 and short RSA keys. However, this is not an ideal situation, since it also means that secure usage ofCNAMEandNS+DS(e.g. aCNAMEto another.bitdomain) is rejected forTLSArecords. After we phase out Unbound, we should look into making sure that the replacement recursive resolver can handle Encaya's security requirements properly, and then switch Encaya to use the recursive DNS port.Thanks to @sowelisuwi for drawing this to my attention.
The text was updated successfully, but these errors were encountered: