Executive Order 14144 - encrypted DNS
Grant Taylor
gtaylor at tnetconsulting.net
Thu Jan 30 22:45:36 UTC 2025
On 1/30/25 3:25 PM, Fred Morris wrote:
> I don't think everything on the planet needs to support encryption
> out of the box if composable components are available.
I'm inclined to agree with you.
However, the only rebuttal that I've heard which I give any serious
credence to is the ability for the endpoint that doesn't support
encryption natively to have any visibility into middle boxen being used
to add TLS or not.
E.g. an HTTP server has no inherent knowledge that the traffic was
encrypted with HTTPS to a front end proxy. Conversely the HTTPS server
knows implicitly that the traffic came in encrypted, and to what level.
Sure, there are external things that can be put around it to be able to
say that the only thing that hits a given IP is from the front end. But
that's external dependencies and trust, something that isn't needed when
encryption is supported natively.
--
Grant. . . .
unix || die
More information about the bind-users
mailing list