If I'm not mistaken, currently the solution used by at least Cloudflare bootstraps using traditional DNS as the certificate they are using for DoH is just a standard X.509 certificate issued by DigiCert. I believe you could just hardcode both the host and IP address on the client side if you want to avoid this "legacy" step.
On Sat, Mar 23, 2019 at 9:38 PM Paul Vixie <[email protected]> wrote: > > > Wes Hardaker wrote on 2019-03-22 21:03: > > Kenji Baheux <[email protected]> writes: > > > >> * We are considering a first milestone where Chrome would do an > automatic > >> upgrade to DoH when a user’s existing resolver is capable of it. > > > > Sorry for the delayed question, but with respect to this bullet: > > > > 1) ... > > > > 2) ... > > while i feel and echo wes's two questions, mine is different. > > if all you have is an ip address (say, from dhcp or resolv.conf), how > would you decide whether the https endpoint you found at that address, > was using an x.509 key you had any reason to trust? https wants names. > > i've run into this before. http://dot.tt.ed.quad/ is an easy grab, but i > don't know how to negotiate for https://dot.tt.ed.quad/. if this is a > solved problem, then i apologize to all present, for not doing my > homework before opening up in public. > > -- > P Vixie > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
