> > >> >> I do not find how the Cloudflare resolver discovers that Facebook >> authoritative name servers use DNS-over-TLS, and what are their >> keys. Hardwired in the resolver for the experiment? > >
>> > The subject for the cert is not especially illuminating, though. I tried > sending the resolver name via SNI and got the same cert back. > We have used a preconfigured SPKI digest pinning. This was the easiest to get the experiment going and focusing on the impact of DoT as a transport. How to enable DoT discovery is yet to be discussed and defined. Discussions have started since the last dprive virtual meeting, all have their pros and cons but at least it seems constructive threads have been going on and we are getting a better grasp of what makes sense for the different operators involved. Manu
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
