Certificates for DoT and DoH?

David Guo david at xtom.com
Tue Mar 1 11:08:23 UTC 2022

>> Sorry if I'm slow, but isn't that a chicken-and-egg problem?

Normal DoT/DoH problem has bootstrap DNS setting, you always need to set a bootstrap DNS server to resolve the DoT/DoH domains, so this is not a problem.

-----Original Message-----
From: Bjørn Mork <bjorn at mork.no> 
Sent: Tuesday, March 1, 2022 3:57 AM
To: David Guo <david at xtom.com>
Cc: nanog at nanog.org
Subject: Re: Certificates for DoT and DoH?

David Guo <david at xtom.com> writes:

> You don't need a certificate for your IP address if your DoT and DoH 
> use domains.

Sorry if I'm slow, but isn't that a chicken-and-egg problem?

We're going to provide this as an add-on to our standard ISP resolver service.  Most clients will pick up the addresses from DHCP/DHCPv6.
Very few are configuring DNS resolvers manually, and those who do are using other providers.  Like you :-)

> For certificates with IPv4 address, we use ZeroSSL / GoGetSSL, both 
> are SubCA with Sectigo, which works fine.

Thanks.  That's interesting. I didn't know ZeroSSL offered this.  And GoGetSSL has better docs than most.  

But we can't run a resolver service without IPv6 in 2022.  Did you ever get any explanation of this restriction?  Shouldn't be much harder/different to validate an IPv6 address if you can validate an IPv4 address.

> For IPv6 address, we used Digicert but it's too expensive, so we give 
> up ☹

Hard to claim it's too expensive if no one else thinks it's worth offering a similar service...

> Our DoT/DoH service is https://dns.sb/

Nice.  Good to have more examples to look at.  


More information about the NANOG mailing list