On Fri, 10 Jul 2026, Bill Woodcock wrote:
Hi. Speaking for Quad9 (and by extension other recursive resolver operators) yes, there is huge demand for client authentication. Also, it will be needed to fulfill some of the requirements of DIEM. My very strong preference is that we not invent anything new here, and simply use DANE and TLS client certs.
When will I get DANE requiring DNSSEC support on my mobile devices? Honestly, the straightforward solution here is to add a VPN configuration to the DNS resolver IPs. This is all existing technology and you can define the tunnel to only cover the QuadX IP addresses. VPN technologies already allow a wide variety of authentications, using X.509 and/or REST API calls or using PAM, etc. Not every technology needs a DNS variant. For my iOS device, it's just a simple .mobileconfig file. No need to wait for Apple to implement some encryption-within-dns-packet format. Paul _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
