Certificates for DoT and DoH?
david at xtom.com
Tue Mar 1 11:08:23 UTC 2022
>> Sorry if I'm slow, but isn't that a chicken-and-egg problem?
Normal DoT/DoH problem has bootstrap DNS setting, you always need to set a bootstrap DNS server to resolve the DoT/DoH domains, so this is not a problem.
From: Bjørn Mork <bjorn at mork.no>
Sent: Tuesday, March 1, 2022 3:57 AM
To: David Guo <david at xtom.com>
Cc: nanog at nanog.org
Subject: Re: Certificates for DoT and DoH?
David Guo <david at xtom.com> writes:
> You don't need a certificate for your IP address if your DoT and DoH
> use domains.
Sorry if I'm slow, but isn't that a chicken-and-egg problem?
We're going to provide this as an add-on to our standard ISP resolver service. Most clients will pick up the addresses from DHCP/DHCPv6.
Very few are configuring DNS resolvers manually, and those who do are using other providers. Like you :-)
> For certificates with IPv4 address, we use ZeroSSL / GoGetSSL, both
> are SubCA with Sectigo, which works fine.
Thanks. That's interesting. I didn't know ZeroSSL offered this. And GoGetSSL has better docs than most.
But we can't run a resolver service without IPv6 in 2022. Did you ever get any explanation of this restriction? Shouldn't be much harder/different to validate an IPv6 address if you can validate an IPv4 address.
> For IPv6 address, we used Digicert but it's too expensive, so we give
> up ☹
Hard to claim it's too expensive if no one else thinks it's worth offering a similar service...
> Our DoT/DoH service is https://dns.sb/
Nice. Good to have more examples to look at.
More information about the NANOG