On 5/3/19 5:51 PM, John R Levine wrote: >>> server. I suppose you could find your DoH server by name, but if you >>> can do that, you could equally well find your DoT or .well-known >>> server by name and define the problem out of existence. >> >> I think it's best to verify by name, even if the DNS server is reached >> through a hard-configured IP. That's what we implemented for Knot >> Resolver, at least. On a related note, I'd also expect to send the name >> as SNI by default; 8.8.8.8 was not even sending me a certificate unless >> I sent SNI (only when using TLS 1.3 though) > > When I said verify by name I meant by DNS name, so the certs can be > signed by the existing ACME protocol or whatever.
I also meant verification by DNS (host)name in certificate's CN, signed by some commonly accepted authority. I don't know where the misunderstanding is. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
