Hello,
I've just read the RFCs for DNS over TLS (RFC7858 + RFC8310) and DNS
over HTTPS (RFC8484) because I'd like to understand the fuzz of the
latest discussions around these topics.
In my conclusion, the concept behind DoH doesn't go down well for me at
all. It's appearing to me like fiddeling as a whole to get it somewhat
working.
However both approaches have a chicken-egg problem. While DoT need to
somewhat know the ADN for a given DNS Server IP to authenticate the DNS
Server, DoH needs to somewhat know the IP address for a given DoH Server
domain name to actally reach out to it.
However, in DoH's RFC, there is a little paragraph that raised the idea
to me, that could fix the bootstrap problem of DoT outlined in section
6.1 of RFC8310.
When the DoT is providing a TLS server certificate with a IP SAN
attribute for it's IP address, the DoT client can authenticate the DNS
Server using the DNS server's IP address as the authentication data.
This way, no extra to-be-configured ADN is required since the IP address
must be specified anyway.
Do I miss something or why hasn't this being considered in RFC8310?
Regards
- Alex
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
