Experimental DNS over TLS support

The USC/ISI root server began experiment support for DNS-over-TLS in 2023. Although our implementation predates the Experimental IETF’s RFC9539 that defines how recursive to authoritative DNS service should work, we believe our implementation closely aligns with its specification as much as possible.

Note that this service is experimental and we consider service of DNS-over-UDP and -TCP to be higher priority than DNS-over-TLS. (We reserve the right to halt TLS service without notice if needed.)

Testing it

You can test our TLS support using the ISC bind package’s dig utility, using the +tls option:

   $ dig +tls @b.root-servers.net . soa
   ...
   
   .			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2024082600 1800 900 604800 86400
   
   ...
   
   ;; SERVER: 170.247.170.2#853(b.root-servers.net) (TLS)
   
   ...

Further information

Wes Hardaker announced USC/ISI’s TLS deployment at DNS-OARC. He also gave a presentation discussing DNS Security that discusses the differences in DNSSEC and DNS over TLS, and why they are complimentary solutions.

B-Root announced experimental TLS service in Feb. 2023.

PKIX Trust Anchor

The following trust anchor can used to authenticate our servers, or as a file: b.root-servers.net-CA.crt.

-----BEGIN CERTIFICATE-----
MIIEHzCCAoegAwIBAgIUGkzBrzwY0IEo20CQzUDcJ6KslwUwDQYJKoZIhvcNAQEL
BQAwJzElMCMGA1UEAxMcQi1Sb290IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0y
MDA2MjIxNzQ5NTRaFw0zMDA2MjAxNzUwMTFaMCcxJTAjBgNVBAMTHEItUm9vdCBD
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGK
AoIBgQDFJZHe3e7y70qN+eoZJdCdnd8zM5XULyl21+DunO+t+9vTUWljU6E/374R
2Kr1iZOcG8qsGaLZwsTVKQ1KcZysk4yFHMnGwMJMSCkC6RQsRLLMFUtEZyShLIq2
WWnvTGX0a4WbRTU2DbDCDv/IQzjwoCx1MA0liLWUTqtu1/Mgh/Ur7zHW2eQLqxqX
HlBLYMSRR4RdxeWBKTI9/ioH3XK5OeAfWQfVN26shsYbvCA3XJBR2KmaYtgnFJYR
/oCz3sHbrvM5zNmmTeYJlou6Bc+ghrUPumZHztqYGomg39DPraVnWVpE2lYF8YXS
HBG4XvgzN8aQ/+PNITqr+1hZJM9YsDNALiIbSPVc0z9DLlArwXcLx3vaER2JUAN4
T49cX60c/IqONKXTWcv1QhDsjZi2W1Z2yW99tyLC47jSdb42fuZI+zbP2Gu8YSEF
7Ovh6/gDLKQQ1iM500AUZ2KhSPxV8rz60aPMMPNQgqa+E3fOyCagP/rsxTWYqDD+
fU9qC3sCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDB4QA
MB0GA1UdDgQWBBSE3dxYGgoAmDyoMX/lso64NVnfmjANBgkqhkiG9w0BAQsFAAOC
AYEAqr/uVGcRVnIbTjPD4lm2lKuskbjaMUlxVMmSKq9eWxR3rsVMgZptYwFlDkZ3
kUQ+qqWZVYXZiLTcDn/zW8qRjhMzAH+buQIvHd2ffpHppKcfhF6wclBYal8b0Fgg
O0QxKtaFORCHoafXIl7wWPTMErOM9lNwxugNl4m9E4RcpadABY/734Qhy6Dwcu5s
7FgC+lS7/uWXE+/VBB66xOr2Qc7WhXlXLIDXNXmztgIG5bBtsACzjl1ssmQ0bsn/
JxaJDXCpPuIoOprqX2Xj/+uyqRwTuq++d5v6HeaE621smNahFf6H/Q1egEMUDuQ6
BRnZkZZk5zOamYSdnXXLlD/luOsnXCdY0WRJ6v7hY1f1tLekJ5oE8jDPd0dTEinF
24/LIyl7DT5CUUFARFC72pvcC3qoV8UnJT4G4UPcZEGuGdZF8ELgYPJpjeov1SWX
z4EgqgnYlBuCGYuCcRUlTTWQAyh4Duj2k7Q3xECT4pMBN6VUS/6hMWQnAI374ZI6
ECua
-----END CERTIFICATE-----