server. I suppose you could find your DoH server by name, but if you can do that, you could equally well find your DoT or .well-known server by name and define the problem out of existence.I think it's best to verify by name, even if the DNS server is reached through a hard-configured IP. That's what we implemented for Knot Resolver, at least. On a related note, I'd also expect to send the name as SNI by default; 8.8.8.8 was not even sending me a certificate unless I sent SNI (only when using TLS 1.3 though)
When I said verify by name I meant by DNS name, so the certs can be signed by the existing ACME protocol or whatever.
Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
