[dnsdist] X25519MLKEM768 support in dnsdist?
Marcos Theophylactou
noc at mtheofy.com
Mon Jan 12 15:23:20 UTC 2026
Hi,
I tested my dnsdist instance using https://github.com/testssl/testssl.sh and it reports that KEMs are offered (X25519MLKEM768). Using a EC 384 bits Lets Encrypt certificate. Haven't done sniffing to see whether the KEMs are actually used by clients though.
FWIW, testssl also reports that dnsdist is offering Obsoleted CBC ciphers (AES, ARIA etc.)
Marcos
---- On Mon, 12 Jan 2026 16:17:31 +0200 Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com> wrote ---
Hi Christoph,
On 1/10/26 00:42, Christoph via dnsdist wrote:
> someone reached out to us and asked whether we could support
> post-quantum safe TLS 1.3 options on our public resolvers.
>
> Since most browsers have support for X25519MLKEM768
> https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-
> support/
> and openssl 3.5 in debian stable supports it,
> I was wondering how to enable it in dnsdist
> but I didn't find any parameter in addDOHLocal()
> to configure ECDHE curves?
> https://www.dnsdist.org/reference/config.html#addDOHLocal
>
> Is this currently supported?
I don't think we have any way to configure this today, no. I opened an
issue [1] on our bug tracker. If it's as easy as it seems to be I would
be ready to backport this change to 2.0.x.
[1]: https://github.com/PowerDNS/pdns/issues/16715
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
dnsdist mailing list
mailto:dnsdist at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20260112/b8fbe94b/attachment.htm>
More information about the dnsdist
mailing list