In article <6b112b6b-a8b3-46ea-8de9-8a0535a7b...@icann.org> you write: > Title : DNS Resolver Information Self-publication > Authors : Puneet Sood > Roy Arends > Paul Hoffman > Filename : draft-sah-resolver-information-00.txt > Pages : 9 > Date : 2019-04-30 ]]
Having now read it, I sympathize with its goals, but it's two separate things lashed together. One is sort of the 21st century version of the old CH version.bind hack, ask the server a special funky question and it tells you about itself. The other is a well-known URL on a web server at the same IP address as the DNS cache. Both have issues -- the DNS approach is a dns-camel hack and there's no obvious way to sign or secure it. The web page is straightforward give or take practical issues of running a web server on the same IP as a DNS cache, and that getting a signed SSL certificate for an IP can be from moderately to extremely painful depending on your budget, the difficulty of doing an OV validation on your organization, and your relationship with the RIR contact for your IP address. I believe that DoT and DoH have the same certificate issues as the web server. I suppose you could find your DoH server by name, but if you can do that, you could equally well find your DoT or .well-known server by name and define the problem out of existence. My inclination would be to put this on hold and advance the web server part if ACME adds a way to do IP address certs. I don't see any reason to prefer DoH or DoT over .well-known, since it uses same TLS channel and has a much simpler encoding of the content. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
