Vladimír Čunát <vladimir.cunat+i...@nic.cz> writes: > You can still multiplex based on SNI sent by the client. HTTPS clients > surely send it commonly. DoT clients perhaps not so often, but that's > just an implementation detail (which I was fixing in the past few weeks > in knot-resolver, incidentally).
My understanding of the reference to BCP195 from https://tools.ietf.org/html/rfc7858#section-3.2 is that SNI support is required for all DoT implementations. > I'm not sure how easy SNI-based multiplexing is to configure with > nowadays software, but I believe I've heard of some such setup with > nginx. And I don't have any idea whether SNI encryption would interfere > with that, but I hope not. ESNI will be a key part of DNS privacy, > though mainly for the non-DNS traffic. It's simple to do with haproxy at least: https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ ...which incidentally also can be used to support DoT with *any* DNS server as backend. Bjørn _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
