Executive Order 14144 - encrypted DNS

Carlos Horowicz carlos at planisys.com
Mon Jan 27 13:18:13 UTC 2025 

I found this RFC https://www.rfc-editor.org/info/rfc9076 pretty 
interesting as it covers all topics related to DNS privacy, including 
the need to prepare for quantum-resistant algorithms and encrypting DNS 
traffic ... I guess the author is not only referring to resolver traffic 
that should use DoT instead of plaintext UDP/53 , but also zone 
transfers over the Internet encrypted with TLS (thus the reference to 
certificates).

-Carlos

On 27/01/2025 14:02, Carlos Horowicz via bind-users wrote:
> IMHO this has nothing to do with DNSSEC, it sounds more like the urge 
> to encrypt resolver traffic (I guess they're referring to DoT)
>
> On 27/01/2025 13:55, Marc wrote:
>>> FYI - EO 14144 has the following provision related to encrypting DNS:
>>>
>>> (c) Encrypting Domain Name System (DNS) traffic in transit is a 
>>> critical
>>> step to protecting both the confidentiality of the information being
>>> transmitted to, and the integrity of the communication with, the DNS
>>> resolver.
>>>    (i) Within 90 days of the date of this order, the Secretary of
>>> Homeland Security, acting through the Director of CISA, shall publish
>>> template contract language requiring that any product that acts as a 
>>> DNS
>>> resolver (whether client or server) for the Federal Government support
>>> encrypted DNS and shall recommend that language to the FAR Council.
>>> Within 120 days of receiving the recommended language, the FAR Council
>>> shall review it, and, as appropriate and consistent with applicable 
>>> law,
>>> the agency members of the FAR Council shall jointly take steps to amend
>>> the FAR. (ii) Within 180 days of the date of this order, FCEB agencies
>>> shall enable encrypted DNS protocols wherever their existing clients 
>>> and
>>> servers support those protocols. FCEB agencies shall also enable such
>>> protocols within 180 days of any additional clients and servers
>>> supporting such protocols.
>>> ....
>> Disclaimer, not really an dns expert
>>
>> What is this referring to DNSSEC? Afaik is just signing traffic not? 
>> What is the point of encrypting data with the current implementation 
>> of certificates. Even google does not trust CA's with it's 
>> certificate pinning.
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250127/0535c6a9/attachment-0001.htm>

More information about the bind-users mailing list