In article <20190502205938.60498201340...@ary.qy>, John Levine <jo...@taugh.com> wrote: >My inclination would be to put this on hold and advance the web server >part if ACME adds a way to do IP address certs. I don't see any >reason to prefer DoH or DoT over .well-known, since it uses same TLS >channel and has a much simpler encoding of the content.
Here's a further thought. After poking at a bunch of public DoT servers including 1.1.1.1, 8.8.4.4, 8.8.8.8, 9.9.9.9 and lesser known ones like 89.233.43.71, I find that most of them return a signed cert for a name that resolves to the appropriate IP. If you think there is likely to be a critical mass of clients that find their DoT or DoH server by name, or that have external knowledge of what the name should be for a server found by IP, it could make sense to advance the .well-known part, with a security note that you only get the validation part of TLS if you know the name or you're in the elite few who can get a signed IP address certificate. This could still work for servers on private IPs, since it's not hard to get a signed certificate for a public name that doesn't resolve to a public IP. (The public name doesn't even have to be in the DNS other than for two minutes while the signer checks it.) I still think that the new RR with funky names is a bad idea, a lot of complexity that offers the same info that .well-known does. R's, John -- Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop