Thomas Peterson: > In a recent discussion in the DoH mailing list around a draft that > describes resolver discovery, Martin Thomson made the suggestion[0] > to use DHCP and RA options instead to transmit both DNS over HTTP > resolver addresses, but more relevant to this WG also DNS over TLS > endpoints as well. I have published draft-peterson-dot-dhcp, which > describe the relevant DHCPv4, DHCPv6, and RA options to support > this. [...] > 0: > https://mailarchive.ietf.org/arch/msg/doh/A2YthHjFwwwpC3d0MrOm1-syH48
Thanks for starting this I-D. from the I-D: > Length: Length of the DNS Servers list in octects > > DNS Servers: One or more IPv4 addresses of DNS servers The I-D currently only contains IP addresses, not names as proposed by Martin: To quote Martin Thomson's email: > 2. We add a field to DHCP and RA that carries the "DoT resolver". > When this is present, the client resolves this name using the > resolver. This resolution is unsecured. The client then connects to > the resulting IP address and validates the certificate it presents > using this name. This enables easier deployment of DoT because a > certificate for a name is easier to get than an IP certificate (it > also enables use of 1918 address and the like). So I'd suggest to have multiple fields: - IP address (optional) - name (for PKIX verification) (optional) - SPKI pins? (optional) I'd like to see a single document covering DoT and DoH DHCP/RA options (as Martin Thomson suggested) instead of two documents doing the same thing for each protocol separately. kind regards, nusenu -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
