>I would recommend that you think about how any of these proposed
>schemes interact with DNS wildcards. Yes, some people use wildcards
>with TLSA RRs, or even with CNAME RRs pointing to TLSA RRs: this
>allows one to express "every service on machine foo.example.org uses
>the same certificate" concisely.
That is an excellent point. While you're at it, it'd also be a good
idea to consider how it interacts with DNAMEs.
For example, if you use my naming convention with the protocols, you
can use DNAMEs to say the client certs for all the protocols are the
same, e.g.:
_client._udp.myhost.example DNAME _client._tcp.myhost.example
_client._sctp.myhost.example DNAME _client._tcp.myhost.example
This doesn't let you alias server certs without also aliasing client
certs, no idae if that would be a problem in practice. The comments
in RFC 6698 suggest that aliasing server certs is rarely useful.
R's,
John
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
