In article <cahpuvduozvecj5jfd6nxyj-crhtjts1n8vcc5pc3uwqeclo...@mail.gmail.com> you write: >Well, the client could just use the zone name as the SNI, no? You can assign >certificates with the same name but different keys to each of the >nameservers.
That sounds quite painful for servers that serve hundreds or thousands of zones. I am assuming these would be self-signed certs. If you want them signed there's an additional bootstrap problem since the CA everyone uses, Let's Encrypt, needs working DNS to sign a cert. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
