Marek Vavruša <mvavrusa=40cloudflare....@dmarc.ietf.org> wrote:
>
> https://github.com/vavrusa/draft-dhcp-dprive/blob/master/draft-dhcp-dprive.txt
This is interesting to me because I want to support DoTH on my campus
resolvers.
Regarding DoT, it seems to me that a super simple way for the client to
be able to authenticate the server would be to include the server's IP
address(es) in the subjectAltName field. This wouldn't require a DHCP
extension, and nicely supports opportunistic updgrade. I'm afraid I wasn't
paying attention when RFC 8310 was being prepared so I don't know why it
excludes iPAddress authentication.
Regarding DoH, the DHCP option ought to include a URI template (there
isn't a .well-known for DoH). I plan to set up my servers so that
misdirected attempts to get web pages from the DoH server are redirected
to the relevant documentation; that's much easier if the DoH endpoint
isn't at the server root.
A URI template usually implies the need for DNS queries to resolve the
server name (unless it's an address literal). Would it be plausible to
allow the client to assume that the DoH server IP addresses are the same
as the DNS server addresses, so it can skip the lookup? I guess that would
be too annoying for operators that want their DoH servers to be separate
from their normal DNS resolvers, so maybe it's a bad idea :-)
Tony.
(PS. DoTH is clearly what happens if someone suggests "DoNT" but we do it
anyway.)
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
fight poverty, oppression, hunger, ignorance, disease, and aggression
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
