In article <CAM1xaJ_jcMunvfuqqgoe-5hTSE1t=A4ELWF1j0SBsztoZ_1S=w...@mail.gmail.com> you write: >I just scanned the draft and focused mainly on the DNS bits. The >described method for publishing encryption keys for SNI in DNS won't >allow use of wildcard domain names.
Yes, that is a very well known fact about _prefix names in the DNS. If you want wildcards to work, use a new rrtype, e.g., instead of this: > _esni.example.com. 60S IN TXT "..." "..." do this: example.com. 60S IN ESNI 983989D92330EA840... It can use base64 encoded text but it might as well just put the ESNIKeys structure literally in the record, represented in the master file in hex string, like the certificate stored in a TLSA record. It's harder to deploy a new rrtype than an overloaded TXT record, but you can't have everything. -- Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
