Hi,
I tested my dnsdist instance using https://github.com/testssl/testssl.sh and it reports that KEMs are offered (X25519MLKEM768). Using a EC 384 bits Lets Encrypt certificate. Haven't done sniffing to see whether the KEMs are actually used by clients though. FWIW, testssl also reports that dnsdist is offering Obsoleted CBC ciphers (AES, ARIA etc.) Marcos ---- On Mon, 12 Jan 2026 16:17:31 +0200 Remi Gacogne via dnsdist <[email protected]> wrote --- Hi Christoph, On 1/10/26 00:42, Christoph via dnsdist wrote: > someone reached out to us and asked whether we could support > post-quantum safe TLS 1.3 options on our public resolvers. > > Since most browsers have support for X25519MLKEM768 > https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc- > support/ > and openssl 3.5 in debian stable supports it, > I was wondering how to enable it in dnsdist > but I didn't find any parameter in addDOHLocal() > to configure ECDHE curves? > https://www.dnsdist.org/reference/config.html#addDOHLocal > > Is this currently supported? I don't think we have any way to configure this today, no. I opened an issue [1] on our bug tracker. If it's as easy as it seems to be I would be ready to backport this change to 2.0.x. [1]: https://github.com/PowerDNS/pdns/issues/16715 Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dnsdist mailing list mailto:[email protected] https://mailman.powerdns.com/mailman/listinfo/dnsdist The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.
_______________________________________________ dnsdist mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/dnsdist
