> On Sep 20, 2023, at 2:32 PM, Paul Wouters <p...@nohats.ca> wrote:
>
> On Tue, 19 Sep 2023, Paul Hoffman wrote:
>
>> We don't know. It was pointed out in the WG discussion that some PKIX
>> libraries do different types of verification regardless of what you want
>> them to do.
>
>> Yes, exactly. Even if you can't stop your library from verifying, you must
>> be able to ignore the verification failures.
>
> That might not be the case. As with "null encryption", these modes are
> more and more being removed from code bases to avoid exploits.
At that point, you couldn't use the library any more, correct?
> I also do find the value of using selfsigned certs over ACME certs
> on the auth server pretty low. It's pretty easy to give a nameserver
> with a static name an automatic ACME based certificate. With the
> "opportunistic" part being that if the cert fails, to go back to do53.
Is there widespread availability for "ACME certs" for authoritative DNS name
servers that have no web server component reasonably available now? When I
looked a few years ago, they weren't at all.
--Paul Hoffman
_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy
