On Fri, 10 Jul 2026, Bill Woodcock wrote:

Hi.  Speaking for Quad9 (and by extension other recursive resolver operators) 
yes, there is huge demand for client authentication.  Also, it will be needed 
to fulfill some of the requirements of DIEM.  My very strong preference is that 
we not invent anything new here, and simply use DANE and TLS client certs.

When will I get DANE requiring DNSSEC support on my mobile devices?

Honestly, the straightforward solution here is to add a VPN
configuration to the DNS resolver IPs. This is all existing
technology and you can define the tunnel to only cover
the QuadX IP addresses.

VPN technologies already allow a wide variety of authentications,
using X.509 and/or REST API calls or using PAM, etc.

Not every technology needs a DNS variant.

For my iOS device, it's just a simple .mobileconfig file. No need to
wait for Apple to implement some encryption-within-dns-packet format.

Paul

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to