On 5/2/19 10:59 PM, John Levine wrote: > I believe that DoT and DoH have the same certificate issues as the web > server. I suppose you could find your DoH server by name, but if you > can do that, you could equally well find your DoT or .well-known > server by name and define the problem out of existence.
I think it's best to verify by name, even if the DNS server is reached through a hard-configured IP. That's what we implemented for Knot Resolver, at least. On a related note, I'd also expect to send the name as SNI by default; 8.8.8.8 was not even sending me a certificate unless I sent SNI (only when using TLS 1.3 though) --Vladimir _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
