Executive Order 14144 - encrypted DNS
Fred Morris
m3047 at m3047.net
Thu Jan 30 21:25:15 UTC 2025
As a belated note, the BIND distribution used to include instructions
(in /dnspriv) for putting nginx in front of the nameserver to implement
DoT. Anecdotally, many people I talked to seemed to have no
understanding or awareness just how simple this implementation is /
was.[0] We need better implementations of things like this:
https://github.com/m3047/tcp_only_forwarder
I don't think everything on the planet needs to support encryption out
of the box if composable components are available. That just bakes in a
potential supply chain compromise everywhere, all at once, as was
demonstrated with the SSL + systemd xz compromise recently
(https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/)
We need to build awareness of easy to use security practica.
--
Fred Morris
[0] I've got the directory mirrored because I still encounter people who
don't understand the concept: https://athena.m3047.net/pub/bind/dnspriv/
More information about the bind-users
mailing list