On Mon, 10 Aug 2020, Peter van Dijk wrote:
On Thu, 2020-08-06 at 23:04 -0400, Paul Wouters wrote:
In the case of encrypted DNS to authoritative servers, those servers
obviously can have an cryptographic ID based on FQDN.
This is not obvious. It would be great if it was; but it isn't.
Sorry, I did not realise it was not obvious to everyone, so let me
clarify:
_853._dot.ns0.nohats.ca. IN TLSA <blob>
_443._doh.ns0.nohats.ca. IN TLSA <blob>
This uses the unique FQDN of each nameserver's name. You can have
multiple TLSA records if you use different keys on some of your
nameservers (eg some outsourced to an ANYcloud provider)
Note that this scales with the nameserver. For example by publishing the
above, the libreswan.org domain would also have dot/doh published as it
is using the same nameservers.
I would not understand why one would insert another PKI system to
identify nameservers as. It would just add dependencies and different
protocols to the solution.
Paul
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
