Certificates for DoT and DoH?

Bjørn Mork bjorn at mork.no
Tue Mar 1 07:28:22 UTC 2022

John Todd <jtodd at quad9.net> writes:

> To validate that the addresses were “ours” or at least under our
> control, there were still some hoops to jump through other than the
> standard validation of registry data. For example, we had to activate
> web servers and objects on our anycast network to answer specific
> queries during some of the check processes.
> TL;DR: Digicert is still the only player for v6 signing, and it will
> not be entirely hands-free to manage but also not overly difficult.

Thanks a lot!  This is incredibly useful.

Yes, we are sort of prepared for the web server hoops. Not trivial since
our addresses aren't normally reachable from the Internet, even if they
are public and advertised.  We are only providing AS internal DNS
resolver service. Dropping outside traffic is an easy way to add some
protection.  But that's just one more hoop.

The technical challenges are nothing anyway. Getting permission from
sourcing to buy something from a new partner will be far worse... So I
will go another round with our existing partners first.

Thanks again.


More information about the NANOG mailing list