Bjørn Mork <bj...@mork.no> wrote:
>
> My understanding of the reference to BCP195 from
> https://tools.ietf.org/html/rfc7858#section-3.2
> is that SNI support is required for all DoT implementations.
>
> It's simple to do with haproxy at least:
> https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
>
> ...which incidentally also can be used to support DoT with *any* DNS
> server as backend.
I'm using nginx as my DoT and DoH front-end proxy
(https://github.com/fanf2/doh101/) and it looks
like I need to add ssl_preread support to get the SNI
https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
I'm only really interested in logging it to see what the clients think
they are talking to - they are almost all Androids doing opportunistic
DoT.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Bailey: Southwest becoming cyclonic, mainly south 5 to 7, occasionally gale 8.
High becoming rough or very rough. Occasional rain. Moderate or poor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
