Am 03.12.22 um 01:22 schrieb Daniel Migault:
adding dns-privacy to the thread.
Yours,
Daniel
On Fri, Dec 2, 2022 at 4:35 PM Michael Richardson <[email protected]
<mailto:mcr%[email protected]>> wrote:
https://www.ietf.org/rfc/rfc9103.html#name-mutual-tls
<https://www.ietf.org/rfc/rfc9103.html#name-mutual-tls> tells me how I could
use mutual TLS to authenticate (and I think, authorize) a zone transfer.
What it does not tell me is whether there should be any Extended Key Usage
bits set on the certificates. Are the WebServer/WebClient required?
forbidden? tolerated?
Hello,
the e-mail eco-system is fine with the current values.
$ openssl x509 -noout -ext extendedKeyUsage -in /path/to/mailservers/cert.pem
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
So I see no reason to add something like "DNSServer/DNSClient" as Extended Key
Usage
Andreas
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
