DNS-over-TLS Resolvers are available at RIPE 76 on a best-effort basis. They are available on TCP port 853, on the same IPv4 / IPv6 addresses as the regular DNS resolvers:
These experimental resolvers are using Knot-resolver and provide the following security and privacy-related features:
- DNSSEC validation
- Aggressive Use of DNSSEC-Validated Cache
- Qname Minimisation
To use them, you need client software such as Unbound or Stubby, configured to forward upstream queries to these resolvers over TLS. They use a LetsEncrypt certificate, with a TLS hostname of:
For strict verification, your client should use CA-based verification for this hostname. Do not configure an SPKI pinset, as we may change the certificate at any time.
An example Stubby config:
upstream_recursive_servers: - address_data: 2001:67c:64:53::53:1 tls_auth_name: "nscache.ripemtg.ripe.net" - address_data: 2001:67c:64:53::53:2 tls_auth_name: "nscache.ripemtg.ripe.net"
For more information about configuring clients, you can visit:
The RIPE NCC staff can only offer limited support for investigating problems with these resolvers.
If your issue is related to client configuration, please see the available documentation linked above, or for further support, contact the DNS Working Group.
There may be issues resolving certain domain names due to interactions with Qname Minimisation (which is an experimental protocol).
If these issues cause you a problem, please fall back to using the regular resolvers and send a report of the problem to opsmtg [at] ripe [dot] net. If the problem is with the resolver software we are using, it is unlikely we will be able to fix it during the meeting. You can also discuss any issues encountered on the DNS Working Group Mailing List.
This service has been set up for RIPE 76 as an experimental service at the request of the DNS Working Group Co-Chairs.